Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112283 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 85275 invoked from network); 24 Nov 2020 22:06:52 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Nov 2020 22:06:52 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A976A1804CA for ; Tue, 24 Nov 2020 13:32:38 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 24 Nov 2020 13:32:37 -0800 (PST) Received: by mail-il1-f178.google.com with SMTP id a19so190133ilm.3 for ; Tue, 24 Nov 2020 13:32:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lSFb476L5yA0MdjbvyPo/YrbRCkUSlqCZry9KvW6KHw=; b=lur6d5jcQhJCTfZgUsF9iNh3EVOaUM0zERoL4nrV5x5P1raLuL4nXTDk2yu4j1mrrh oE0UN84qXu+80nNk8zxpnP11t5zOkUuRCr/BbtiBuGkxUFM3eEya8QF7NBs6bkhJPxR+ F9BRuoe9X5StmzGxw+JrRxO511ztECn1G5R4HqfbyJ0zJ9VZ72v7SAfp87t+ELReciIG Mw3LsZjCOEKwsUhJobMXZ8hvDn98QayZXxo4Yhfhvcxvik8bz6Z1VTNtzE9bnVgq3VXh 3sl4F6dHIn7U1/2XHl0iIiLjovnFegy1bgxrW6GzGJNOyerdF0J6TYPzT7ILV3r54JpP a0og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lSFb476L5yA0MdjbvyPo/YrbRCkUSlqCZry9KvW6KHw=; b=b/yJgwfvgZscFRbVm2JJwP2DS2nzAo24ktVDPRE2kXZashvZnsOWuuf687e7sMrqyF vZJRfcrQTWE4BITWp0dJfKxeXfXdWGRKJ34zChF+pMBGEL3Sis656jSgoQY3QCcQWmUF RwAlP0WeV5vFGz3/tahIqkUBHkMR4Y/9801xftAhLC4aTnMNQY52SdZzMG5VGTbbi7Nj D1L/Pwev7twRsLyjS8Fp5yoeWVZKiw4eo6f1q/NV9N7T1aphEqVo+KVYpn28SkWYIvYC qLah0pvuIZh5l3KlTLWV0dmRIlbLS6e+y48wf3I3Amt0wLKEgKCUmn38RQ9vrfY+uwQH sTUA== X-Gm-Message-State: AOAM533RMhf4YFi7JaagDSdfL+tPhBS1Pygdq603174eYprBLu52g8Ax O6aDHgGHcrROH/E5q93iP0XqK4s6X5AUljJn4xRgJ6jK3cXoZR7N X-Google-Smtp-Source: ABdhPJxV3lkXbBnQxKyvE/cuLsUMtGPOmyvrRf1UZJj+9lpKpZwH8qdCU16EszKqq7q7hyc4zSS1JyJpF1bRlVnkUyA= X-Received: by 2002:a92:c80c:: with SMTP id v12mr355787iln.165.1606253554891; Tue, 24 Nov 2020 13:32:34 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 24 Nov 2020 22:32:24 +0100 Message-ID: To: Dan Ackroyd Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000008f015505b4e10cc3" Subject: Re: [PHP-DEV] PHP releases, OPcache + Jit bugs, and communication From: ocramius@gmail.com (Marco Pivetta) --0000000000008f015505b4e10cc3 Content-Type: text/plain; charset="UTF-8" Hey Dan, On Tue, Nov 24, 2020 at 9:48 PM Dan Ackroyd wrote: > Hi internals, > > Currently the PHP project doesn't have a particularly great way of > letting users know when serious defects have been found in versions of > PHP. > > My understanding is that this has been an issue before, when defects > were found in OPcache. Due to OPcache incorrectly optimizing code, > bugs could spontaneously appear anywhere in users code. As we had > nothing in place, we didn't have a way of communicating 'the latest > version is borked, avoid it' Fortunately there were few incidents of > this. > > However, the JIT is quite likely to have many similar issues, where > either new issues, or regressions, could seriously affect the > integrity of how data is processed in PHP applications. > > I'd like to suggest that this could be improved by having some machine > readable data somewhere (see example below), that contains a list of > known critical issues that people should know about before upgrading > to a particular version of PHP. > > This would at least allow people to either hold off on upgrading from > a version that works, to a known bad version, as well as do things > like alert their ops team of investigating whether a newly found issue > could be affecting their programs, and it might be appropriate for > them to revert to a previous version of PHP. > > Thoughts? And does anyone know of any projects that already do this, > so we can be inspired by their best practices? > > cheers > Dan > Ack > > btw before anyone suggests "why don't we just have more releases?", > PHP is mostly distributed through package managers on a fixed > schedule. Switching to an ad-hoc schedule would be a huge amount of > work for many people, and doesn't like a reasonable thing to do. > > > Example of data > --------------------- > [ > { > "version": "8.0.1", > "issues": [ > { > "link": "https:\/\/bugs.php.net\/bug.php?id=12345", > "affects": "jit" > } > ] > }, > { > "version": "8.0.0", > "issues": [ > { > "link": "https:\/\/bugs.php.net\/bug.php?id=12345", > "affects": "opcache" > } > ] > } > ] > > The 'affects' entry could be a comma separated list of things such as: > > jit - the JIT > opcache - opcache > php - the core engine with/without JIT or OPcache. > security - known security flaws that of a severity that justify an > urgent upgrade > An rss/atom feed with affected version ranges (can be added via XSD, I suppose) would be fantastic: I'd factor it into `roave/security-advisories` ASAP, if there was a way to have such a thing :-) Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ --0000000000008f015505b4e10cc3--