Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130315 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 08E501A00BC for ; Sat, 14 Mar 2026 23:59:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1773532784; bh=Av9OgNsE3UiPto+9Kkub33vn1kmUBPrz1ggmfQaDxGE=; h=From:Subject:Date:References:To:In-Reply-To:From; b=QeSgOac290AMggGNq7snd7YDz4aY/EloBgH6aKH1dpKnSjJjEhp4xF5nTGW+bvVff EiHbGWzfetN11NIhif74hFuPz/pvZQpFIk1+juLacomuEUDHYh1fCA8UPkUh94odW4 K1VwvTHYqko7F6Pp3hGjUSAd78H+2AFCy9jTgixhhHwbwCYc09j5axLEdwYgTfLuF7 cTj8v9IjMcUihpwShGr9zZrdvC+48PP5mlae3nGq2jKFQWVy/4icQxySm2ygHxncb0 vTplNPSCqgiDT/CCq4vCAByWoVpfg2vUGJB+QQCg3MVwH1sjK20alRTppo4h6dEd5E O8lhTKLkMQLKQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B895E180389 for ; Sat, 14 Mar 2026 23:59:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 14 Mar 2026 23:59:43 +0000 (UTC) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-48374014a77so32542305e9.3 for ; Sat, 14 Mar 2026 16:59:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773532776; x=1774137576; darn=lists.php.net; h=message-id:in-reply-to:to:references:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=Av9OgNsE3UiPto+9Kkub33vn1kmUBPrz1ggmfQaDxGE=; b=CpJgAtL/7praxsV3jOtJenTYERckN8j+NPWtLd22o4Zzlpc03boRjO/4826ZloAwH3 ldZ9d8Y8iRDZHBI/xC+U3ab8+dT6VIxOsgoJuHgyspp/UVUH4KfoT14mLpW+W+Yj5tYV kuCJ9xxkeQeSQFueL9KTRJfyw4oChTgJi5Z7HQsl1PZcJgXLgGUsolYs2sKCwer1rYO3 wYdfzc5mr4eUnrnqBt7yqjMzOJCQqsJO58MmasIM2IvlN0ofOh//UdGm4yKwVaS8+j53 ESlpC7YVTJyX1euWH5+1IxEq+3gsEOmRvusyYpTEidVWPV/TBoMcXBLdQwE6NSL6KK20 cmXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773532776; x=1774137576; h=message-id:in-reply-to:to:references:date:subject:mime-version :content-transfer-encoding:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Av9OgNsE3UiPto+9Kkub33vn1kmUBPrz1ggmfQaDxGE=; b=E9NYNEbdeenHyw7MoO5uNwVHEbA63qvoQxhdwvkcBzsMcYFJ5U6jO44iDM6bPrb9N+ EKaNuwwElOJkKwyIi9bb6rgNcn2Q1UUp+azfVjSZBIx0DRE++EdrS7eG13e8vC8mO70a s/4N5TC5pli6bLvwY9gsP1dpIgJK6J4R8WUQyik2Sz+hkAvd7WPUJztPHOzFjJVQ8azD a/U+3llxY0FBkrDTmjFq+I1qR5r7Y9STVKn6aYX29lTo1FP0NqoAovo1QNg/ZsNk5Udv YqB6jcxKCRNIA4JjfjjEGLV/Hl8rj9QG8fB945OtgzDBJXPrCCFF1yp9KWN/mbSyNn8A mpIA== X-Gm-Message-State: AOJu0Yw1EVWa+6lbJNzWEj9gZ76IUbV7wCj6mkm9SGxxg6vPd4Ig8NYA QZGowHO3nHPfBNJsYSFjriKBxsuEIcDK27r+ayqV9HG+1ASu5vRLc+kXeImLnA== X-Gm-Gg: ATEYQzwi5oV54dNIqqgyU+s4T46NDN2+qmqZ6Dm5jvCKSS5uBtsp5i05WSp0CJTnmc4 9o9ySfojXBX8CUpUB1VA/0KZ3aPKxxqltykocb0H4uL+iERCDIWX02VVxnSokwTFlJckp1gnCSX NDQ5JxPbZXvzv5Fm8tgRsP4Pop23blsDAqBODMgP1xjEDWKroES4Im6HTQKUiwtn6I+4oc5XnZ/ hazzcyXfuXJKmt5YZ8XMbFbaE/Gdl2gOvzkjMgwpkyT/9TaHmPEl9m1WDauEEBq01n98n6Rj23S o5py84W8we8AacDWN4CI5Qz7Zmws/YQU8pV0HTALdHzUTZHY5DAxIPxRZyiT3cOLLOs0J3dMaKo NlpTA3YBNlx6PfuVYdHz2/MHLu2rKEF+SmKPJJBs2T8Yad8CgealCDa1w6jEiYUaF1L2T4IT4p6 A532GT+tv2xGLGtYrHaun0KL4K/0rGvB4z8azu4TMzk/TVVzDlxcybk5JY7C09sYNKyqSNUvMha fFbuI7fk3KqL3ILUQ4dGkU92zC7EIYeE347rDJ55g== X-Received: by 2002:a05:600c:4f54:b0:485:353f:c651 with SMTP id 5b1f17b1804b1-48556702b4dmr132673965e9.22.1773532776320; Sat, 14 Mar 2026 16:59:36 -0700 (PDT) Received: from smtpclient.apple (luna-01f5111afa46a58a0000f.net.as198747.daniil.it. [2a0e:97c0:38f:0:a85a:64af:a111:5f10]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4854b6756e4sm361560825e9.15.2026.03.14.16.59.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Mar 2026 16:59:36 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\)) Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP. Date: Sun, 15 Mar 2026 00:59:24 +0100 References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com> <166C02DA-50BC-4283-86F9-18AD7A49E2C1@cschneid.com> To: internals@lists.php.net In-Reply-To: <166C02DA-50BC-4283-86F9-18AD7A49E2C1@cschneid.com> Message-ID: <670593F4-00F1-429D-868E-F15E3688F3FA@gmail.com> X-Mailer: Apple Mail (2.3864.400.21) From: daniil.gentili@gmail.com (Daniil Gentili) >=20 > My understanding is that > a) this creates a fork of PHP in the sense that a separate version has = to be maintained > b) you assume the same core developers will be in charge of the what I = call "stable" and the "community" version of PHP >=20 > Is that correct? > This makes me worried about the additional burden on the core = maintainers. Yes, this is mostly correct: however note that the maintenance burden of = feature extensions will lay squarely on the feature maintainers/authors, = listed in the designed document of merged community RFCs. Developers outside of the feature maintainers should only need to touch = feature extension code when introducing breaking changes to extension = APIs, like is already the case now for extensions. This is actually very close to the approach used by linux: drivers are = owned and maintained each by their own maintainers: non-maintainers need = to touch driver code only when authoring breaking changes to inner Linux = APIs which affect drivers. > as well as compatibility issues for package maintainers ("this library = is only guaranteed to work with php-community-yyyy1-mm1-dd1 to = php-community-yyyy2-mm2-dd2 but not the base php" or vice versa). It is for precisely this reason that all feature extensions are = versioned (possibly with multiple versions of a single extension = shipping in a single php-community release), and full information about = available versions is exposed through the PhpFeatures class, in a format = matching Composer JSON repositories. Package maintainers are expected to rely on specific versions of = features (feature-performance:^2), not on specific releases of = php-community. I initially even considered not exposing the current php-community = version at all to userland, exposing just the stable php version it is = based on, but then decided against it as there is still a small amount = of non-feature extension scaffolding code unique to php-community, which = may have bugs, which may require versioning (i.e. a bug the PhpFeature = class itself). Thinking about it some more, PhpFeature and scaffolding code may itself = be exposed as a versioned, always-enabled php-community feature = extension, so now that I think about it, exposing the current = php-community version is even more useless, but I=E2=80=99d still leave = it exposed even if just for PR reasons. >=20 > Another thing I am a bit confused about is the inclusion of sandboxing = as part of this RFC: Is this really an integral part of the community = version? And while we're at it: As long as the community version allows = for PECL/PIE/whatever extensions then the sandboxing could be broken by = those extensions, so this can lead to a false sense of security / needs = auditing of all extensions included in a version. That's why I'm wary of = including it as a secondary feature, it feels a bit tacked on to me for = a security topic. >=20 Sandboxing is expected to cover only features offered by mainline PHP, = php-community and all extensions and feature extensions shipping with = PHP and php-community, not normal extensions installed separately = (though normal extensions may choose to opt-in and respect sandboxing = levels as well, if they wish). Sandboxing is indeed somewhat a separate matter from php-community, and = can in fact be fully defined by a separate (community or normal) RFC. = However, it is absolutely mandatory for the implementation of the main = goal of php-community: fast adoption of new features by the entire PHP = community, especially shared hosts, which require sandboxing by = definition, and cannot be expected to look through the list of changes = in all feature extensions bundled in all of the monthly releases of = php-community. In fact, IMO one of the reasons why shared hosts often lag behind PHP = versions is the (small, but non-negligible) cost of searching and = patching sandbox escape hatches introduced by new PHP versions, so = sandboxing, if merged in mainline PHP, may also speed up adoption of = even normal PHP upgrades. Regards, Daniil Gentili.