Since a while we can read a lot of issues caused by the Sury repository. If I correctly interpret what I read, I would make the OS more stable if it could be removed.
I’ve read somewhere that the repository is automatically added if an application needs a PHP version newer than 7.0 (if I’m not mistaken, Nextcloud needs it for example).
Since Buster has been released and PHP 7.3 is now part of the official Debian repository, does anyone know if the the Sury repo can safely be removed ?
Problem is, we will surely see more and more apps requiring PHP 7.4 because developers wants the super-top-notch-last-stuff and yolomacnuggets and then Wordpress will start complaining that “herp derp 7.3 is ssooooo out of date you have to upgrade asap otherwise hackers will have access to your server !§!!1one§!!1eleven§”
So sooner or later we’ll need sury /again/.
Another thing is that it isn’t just a story of removing sury from the sources.list. Since Sury is used to install a lot of PHP-related packages, once installed, you become dependent of sury for getting upgrades for these packages. Removing “everything that was from sury” is simply not trivial at all, you would need to downgrade a bunch of packages and that would be a huge mess to handle.
So we’re kinda stuck with using it. The good news, however, is that we now have a better pinning strategy (thanks to @taziden and @Kayou) and we should be mostly done with the epic dependencies issues all over the place.
The issues we still see (e.g. openssl version causing issues during the stretch->buster migration) are remains of some past installation. Nowadays, we configure apt/sury to not install openssl from sury and therefore keep the debian vanilla version. The only issue is that some setup already had it install and have to now downgrade it. I’ll try to implement an automatic fix for this in the coming days as it seems relatively simple for this package and there doesn’t seem to be a huge bunch of technical ramifications in doing so.
