OK, first issue, probably minor.

I get this installing the default php:

“This port is deprecated; you may wish to reconsider installing it:

PHP 5.4 is End of Life http://php.net/supported-versions.php.

It is scheduled to be removed on or after 2016-01-15.”

Figuring I should go to the latest version then, I installed php56 and then progressed to php56-extensions.  All good except that I found two of the extensions listed as required in the appendix for BSD are not present in the extensions setup to select.  Those two are:

php-spl

php-pcre

unfortunately the same issue is present in the base/default php-extensions as I went back there to see if they were present.

I also get a STOP when php-mbstring comes up, saying it has vulnerabilities in the latest php56.  I get a deprecated in the base/default php-extensions build.

While compiling the default/base php5-extensions I get a STOP on building php5-phar.  This is not in the list of required extensions but is listed as a dependency for php5-pdo (during its make).

“===>  php5-phar-5.4.45 has known vulnerabilities:

php5-phar-5.4.45 is vulnerable:

php -- multiple vulnerabilities

CVE: CVE-2015-7804

CVE: CVE-2015-7803

WWW: https://vuxml.FreeBSD.org/freebsd/c1da8b75-6aef-11e5-9909-002590263bf5.html”

So maybe three questions:

1.       Should I use the deprecated (but seemingly default/base) php5 (5.4.x) or the newer php56?

2.       Do the two missing extensions matter?  if so, where do I get them? (see 2.a below!)

3.       For the default php5-phar, am I safe setting ‘DISABLE_VULNERABILITIES=yes' for make?  I could do the same for the newer version and ignore the mbstring vulnerability.

2.a. Interestingly enough when I run php –m, it shows both SPL and pcre as loaded – I think they are actually in core for quite a long while now?  perhaps they should be removed from the required list (unless it is assumed people are smarter than I and know they are part of core?)?

So this whole thing is probably OK except for the issues with mbstring and phar vulnerabilities?