Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112282
Return-Path: <larry@garfieldtech.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82416 invoked from network); 24 Nov 2020 21:39:33 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Nov 2020 21:39:33 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C8FAD1804B3
	for <internals@lists.php.net>; Tue, 24 Nov 2020 13:05:18 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <larry@garfieldtech.com>
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 24 Nov 2020 13:05:17 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.west.internal (Postfix) with ESMTP id BBFF5A0D
	for <internals@lists.php.net>; Tue, 24 Nov 2020 16:05:16 -0500 (EST)
Received: from imap26 ([10.202.2.76])
  by compute4.internal (MEProxy); Tue, 24 Nov 2020 16:05:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=mMC+BH
	x4L68XMnF/s023QIAx6ZRjR0fETlAz5uF13rI=; b=goOs6zoc6tzDGfnbauUS3q
	4OVhgU7chRXQ1kJ3rzGKgL3x+VyUGhog4zs/8cbE29tM9QY3XV4E3fNK9SXfmNXC
	RWFpTsCD7HJcQb1d0Jmy8I9M5djM1W7lJsqgbptl/VjixqQamL2WiYXEwUC+2loe
	bxUMAXi7wSRJ5PkW8rCT5UQS3747h583zghnyVF7nAoEyrsu3RVX10hWz/tm0eyD
	njo0E/H9Hwgk+XgNkn5CBAj7pe7DOl0LOhYdl7mGQMu4Itt39LfujMCUyRAHlVYP
	5Dk66hnPhtkeRMXa7jwE1pqWl76facpEcBEWZDTQsNYu5VlWH48qdn+GEwZ4b47g
	==
X-ME-Sender: <xms:jHW9Xzmr6UkvBRKrpv78u88suGikNYayRs6CXM2kBeMD6uLIrgSlBg>
    <xme:jHW9X2051fYuk9_pE-e4JnX49qmb3Q0oMIytJSzwcl_HUIoXMb3yigBA3Ohyix3kB
    x7tseFP0lJiZw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudegkedgudegiecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
    enucfjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfnfgr
    rhhrhicuifgrrhhfihgvlhgufdcuoehlrghrrhihsehgrghrfhhivghlughtvggthhdrtg
    homheqnecuggftrfgrthhtvghrnhepfeetveffteetueeukeegjeffudeuhedthfevfeeh
    iefhheegheffhedthefgleejnecuffhomhgrihhnpehphhhprdhnvghtpdhgihhthhhusg
    drtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm
    pehlrghrrhihsehgrghrfhhivghlughtvggthhdrtghomh
X-ME-Proxy: <xmx:jHW9X5q5PRj28sApQ92lRUb8y9w4By1btRX-EplyC_SteX-hFIumfQ>
    <xmx:jHW9X7nO47HQYm8AaHkUZpF3ulKt1Z2l_KTh-9uLEwAmXUavaUiXcA>
    <xmx:jHW9Xx3_iKaAFuSXxLWZK11K98Wy54LSHP1kTbzrTgTMwvEsSRQ-Eg>
    <xmx:jHW9Xw0M0Ovx7u_nAak1nOeUyvBcDooFFwg_EA_iH4-f78U3j41plA>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 0D59A14200A2; Tue, 24 Nov 2020 16:05:16 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-622-g4a97c0b-fm-20201115.001-g4a97c0b3
Mime-Version: 1.0
Message-ID: <9e902c98-8d97-4401-9dd1-29607dd6eff8@www.fastmail.com>
In-Reply-To: 
 <CA+kxMuSVHBeWNTG=Wor2NP9WkbY7FGqhtUJaqYeS7T-hqoQ-8A@mail.gmail.com>
References: 
 <CA+kxMuSVHBeWNTG=Wor2NP9WkbY7FGqhtUJaqYeS7T-hqoQ-8A@mail.gmail.com>
Date: Tue, 24 Nov 2020 15:04:18 -0600
To: "php internals" <internals@lists.php.net>
Content-Type: text/plain
Subject: Re: [PHP-DEV] PHP releases, OPcache + Jit bugs, and communication
From: larry@garfieldtech.com ("Larry Garfield")

On Tue, Nov 24, 2020, at 2:47 PM, Dan Ackroyd wrote:
> Hi internals,
> 
> Currently the PHP project doesn't have a particularly great way of
> letting users know when serious defects have been found in versions of
> PHP.
> 
> My understanding is that this has been an issue before, when defects
> were found in OPcache. Due to OPcache incorrectly optimizing code,
> bugs could spontaneously appear anywhere in users code. As we had
> nothing in place, we didn't have a way of communicating 'the latest
> version is borked, avoid it'  Fortunately there were few incidents of
> this.
> 
> However, the JIT is quite likely to have many similar issues, where
> either new issues, or regressions, could seriously affect the
> integrity of how data is processed in PHP applications.
> 
> I'd like to suggest that this could be improved by having some machine
> readable data somewhere (see example below), that contains a list of
> known critical issues that people should know about before upgrading
> to a particular version of PHP.
> 
> This would at least allow people to either hold off on upgrading from
> a version that works, to a known bad version, as well as do things
> like alert their ops team of investigating whether a newly found issue
> could be affecting their programs, and it might be appropriate for
> them to revert to a previous version of  PHP.
> 
> Thoughts? And does anyone know of any projects that already do this,
> so we can be inspired by their best practices?
> 
> cheers
> Dan
> Ack
> 
> btw before anyone suggests "why don't we just have more releases?",
> PHP is mostly distributed through package managers on a fixed
> schedule. Switching to an ad-hoc schedule would be a huge amount of
> work for many people, and doesn't like a reasonable thing to do.
> 
> 
> Example of data
> ---------------------
> [
>     {
>         "version": "8.0.1",
>         "issues": [
>             {
>                 "link": "https:\/\/bugs.php.net\/bug.php?id=12345",
>                 "affects": "jit"
>             }
>         ]
>     },
>     {
>         "version": "8.0.0",
>         "issues": [
>             {
>                 "link": "https:\/\/bugs.php.net\/bug.php?id=12345",
>                 "affects": "opcache"
>             }
>         ]
>     }
> ]
> 
> The 'affects' entry could be a comma separated list of things such as:
> 
> jit - the JIT
> opcache - opcache
> php - the core engine with/without JIT or OPcache.
> security - known security flaws that of a severity that justify an
> urgent upgrade

That was essentially the idea behind the FIG's PSR-9:

https://github.com/php-fig/fig-standards/blob/master/proposed/security-disclosure-publication.md

It unfortunately never really went anywhere, but I thought it was a good idea.  There's some links there to some prior art we were drawing from, or planning to draw from.  The idea was to allow projects to publish a link to a feed of security releases in their composer.json, and then Composer (or a plugin) could audit your dependencies and tell you if one of them was busted.

My ideal was an Atom feed, as then it's compatible with pub/sub, but not everyone agreed with me about that. :-)

--Larry Garfield