Staying in the Loop

You should already have bookmarked the websites for Apache, PHP, and MySQL. It doesn't matter whether you've been using these technologies for six days or six yearsthere will always be a need to refer back to the sites (I do, all the time!). If the primary reason for visiting the websites is to obtain information regarding updates, you could always subscribe to an announcements-only mailing list:

• For MySQL announcements, go to http://lists.mysql.com/ and subscribe to the MySQL Announcements list.

• For Apache announcements, go to http://www.apache.org/foundation/mailinglists.html and subscribe to the Apache News and Announcements list.

• For PHP announcements, go to http://www.php.net/mailing-lists.php and subscribe to the Announcements list.

When to Upgrade

As indicated in the installation chapters, minor version changes occur whenever the developers find it necessary to do sonot on any particular schedule. But just because a minor version change has occurred, that doesn't necessarily mean you should run right out and upgrade your software. Sometimes, however, you should upgrade.

The primary instance in which you should immediately upgrade your software is when a security fix is announced. Usually, security issues are not discovered until they are exploitedsometimes in a testing environment but sometimes by a rogue user who just wants to cause trouble for the world. After a security issue is verified, you can bet that it becomes the top priority for developers to fix, and quickly you will see an announcement of an upgrade. When that occurs, you should upgrade immediatelyeven if you don't use the particular element that is the cause of the security issue. A hole is a holewhy leave it uncovered?

Here is an example of the Apache changelog, documenting a change that occurred between version 2.0.54 and 2.0.55 that would be an indicator of a need to upgrade:

SECURITY: CAN-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration.

A good rule of thumb would be that if the word security appears anywhere in the changelog, you should upgrade.

However, if the release is simply a maintenance release, meaning that it contains bugfixes and general enhancements that occur through normal development, you probably don't need to drop everything and upgrade your software. Here are some examples of maintenance items from the Apache and PHP changelogs:

Prevent hangs of child processes when writing to piped loggers at the time of  graceful restart.  (from Apache changelog) Fixed bug #35817 (unpack() does not decode odd number of hexadecimal values). (from PHP changelog)

If nothing in the list of changes is relevant to you, your work, or your environment, you could probably put off the upgrade until scheduled downtime or a rainy day. For example, if all the bugs fixed in a maintenance release of PHP have to do with an AIX or Tru64 platform and you run Linux on Intel architecture, you can put the task aside, worry-free.

Even if you don't immediately upgrade your software, it's a good idea to stay at least within one or two minor versions of the current production version of the software. Anything past that, and it becomes more likely that new features would be added or bugs fixed that are indeed relevant to your work or your environment.