Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112281
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80328 invoked from network); 24 Nov 2020 21:22:19 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Nov 2020 21:22:19 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id EA7F618050B
	for <internals@lists.php.net>; Tue, 24 Nov 2020 12:48:04 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-vs1-f50.google.com (mail-vs1-f50.google.com [209.85.217.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 24 Nov 2020 12:48:04 -0800 (PST)
Received: by mail-vs1-f50.google.com with SMTP id m16so20079vsl.8
        for <internals@lists.php.net>; Tue, 24 Nov 2020 12:48:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=oLQVN25jnBLQOJa8MhQmQr/R4kNFMpop7R3f4pphkx0=;
        b=d0xnKBLWI7nodei1iwkvlIduPF7R1WqySL3be4K6WmH7JB48uGrygpgi0HQ/asaK/O
         nd6uzZlvP0tPlyV8fgG7QpXvJjZm6rr7Sn0OIR7bN7LFPYSsUGgw6f8xkPwPrC7pWsAS
         HDhQAIHGfoGK2FxK0GNvA2ycceAo2UK+6lS3G8/QZKJLEsZ5f+91FIFarXT1h0Hi8s2o
         1OkWYYYJPFoTJkevgBBhqOcJ7YxPPHCVsv6kjEbgaTpKgnxDIBCE1EouDHqzlgz0ZLj4
         N1LAL4jCJ5g8j/JQ7/0kyJNLaNf2jOBt57ZoMlibdRFowGYVYC6isr+Im9FHHpa14Z+O
         qwtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=oLQVN25jnBLQOJa8MhQmQr/R4kNFMpop7R3f4pphkx0=;
        b=KUt7nlSkjg8zKGiDm/vT6HVzVfGwRyVdFBhky05SLa6bxgyV5i0aRmI1vgaM44qes4
         ARczcchsMHZA2I82IUWjIXVs6im6/PdNq4BtOY1PF2xfSg+WOT/zY0qjiYvXRqXMyCW+
         HJS+fIRY4SRdJZ3b2jJb1DvlkmIv1L4YrXVOWOEKCiggsaUvsINyxhtlV6usgjrOxN4K
         lK+ZNpCKNUK9UbO/E+HD0lkxcnHuNm+rr7GXb4f2i/QEHRCUCrNRZsI0GCoP2vDjWdC3
         r57AsRq3GywQeIWCmmET+2IczeGLqFNPQ6Myl2Gkxluy0La6IYZ6wTXAeWnSzlKE/6te
         cHmg==
X-Gm-Message-State: AOAM530jWDpvDuzzkM/1XzHgL0gphn5NON+NE6pUoqN8foNB3/R7VrbC
	+ftxWduPEmCFIBB6FrXm4Byrm4eFTFA0aLoaQmA3oWcdT7y406ma
X-Google-Smtp-Source: ABdhPJy8WD6KHQatyWFEsZEHsarhsq1ul8IBXrcVn9CTPldkbqQq1yfJ1TefLS1dy+pPM6X5bI4cCJaAhGTh7TIIUEk=
X-Received: by 2002:a67:ee0a:: with SMTP id f10mr56587vsp.37.1606250882101;
 Tue, 24 Nov 2020 12:48:02 -0800 (PST)
MIME-Version: 1.0
Date: Tue, 24 Nov 2020 20:47:51 +0000
Message-ID: <CA+kxMuSVHBeWNTG=Wor2NP9WkbY7FGqhtUJaqYeS7T-hqoQ-8A@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: PHP releases, OPcache + Jit bugs, and communication
From: Danack@basereality.com (Dan Ackroyd)

Hi internals,

Currently the PHP project doesn't have a particularly great way of
letting users know when serious defects have been found in versions of
PHP.

My understanding is that this has been an issue before, when defects
were found in OPcache. Due to OPcache incorrectly optimizing code,
bugs could spontaneously appear anywhere in users code. As we had
nothing in place, we didn't have a way of communicating 'the latest
version is borked, avoid it'  Fortunately there were few incidents of
this.

However, the JIT is quite likely to have many similar issues, where
either new issues, or regressions, could seriously affect the
integrity of how data is processed in PHP applications.

I'd like to suggest that this could be improved by having some machine
readable data somewhere (see example below), that contains a list of
known critical issues that people should know about before upgrading
to a particular version of PHP.

This would at least allow people to either hold off on upgrading from
a version that works, to a known bad version, as well as do things
like alert their ops team of investigating whether a newly found issue
could be affecting their programs, and it might be appropriate for
them to revert to a previous version of  PHP.

Thoughts? And does anyone know of any projects that already do this,
so we can be inspired by their best practices?

cheers
Dan
Ack

btw before anyone suggests "why don't we just have more releases?",
PHP is mostly distributed through package managers on a fixed
schedule. Switching to an ad-hoc schedule would be a huge amount of
work for many people, and doesn't like a reasonable thing to do.


Example of data
---------------------
[
    {
        "version": "8.0.1",
        "issues": [
            {
                "link": "https:\/\/bugs.php.net\/bug.php?id=12345",
                "affects": "jit"
            }
        ]
    },
    {
        "version": "8.0.0",
        "issues": [
            {
                "link": "https:\/\/bugs.php.net\/bug.php?id=12345",
                "affects": "opcache"
            }
        ]
    }
]

The 'affects' entry could be a comma separated list of things such as:

jit - the JIT
opcache - opcache
php - the core engine with/without JIT or OPcache.
security - known security flaws that of a severity that justify an
urgent upgrade