Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130339 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: by lists.php.net (Postfix, from userid 65534) id 161081A00BD; Sun, 15 Mar 2026 14:10:49 +0000 (UTC) To: internals@lists.php.net Date: Sun, 15 Mar 2026 09:10:48 -0500 Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP. References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com> Content-Language: en-US Autocrypt: addr=ramsey@php.net; keydata= xsFNBGCHQTYBEAC6IU9aXEpVuLJNAzXwL7q9Vt1PkxJHr7kJynUg/3ISrOdJy2Ebola7GbEd vLZ69o+NbsL5vmOmT2AD0pEGfMgE9KWJ122iEfN4hrWThz+sHcVd/TKX9E98g+HTpoJGtYcp 6jYxG0YRP7dn1zSn9CawVJpMsoS2G0JZB/q2lIELoPRLMjicRDBEfamTPi3vyYiuf4vvCcYY z3AEMYirt5f7rBrVOs3FVBozEqrN2fPRWvFgTnhsQ8MEiq5/DMsnxFq2wgheAKPIAXhZiJFo KHsrpiAANEmGZBY2pbW05rBY1ZmJpi1yCrSk582cdPo2Ca+NrNEPJ9spoEinAtApp/orirJY bjKViWqmh7mYYyv/NAQKwGBE1up3tSGVj0rKG3f9seLvYsApHf0lhEQN/ypzC+pYDlSXzWxc Q8bifixb6XulaEgB5XOHwuvpTK6HoNNdZM44Fl+B/eAXaebL6Vh0P1EN/2DBr4FGNb8vlXdv Gxs7rJbJ8+aNmYeNIdg5qbYubNsO2fU7yw9kTDNTej63Ql1a0Md2wfZze8dZy6LJ/tL//IH3 JPd0jvT1y0LVIKoYVrIfv06zolVplqi72zfec1kpw0VR6dT/LyhBlyNumqJMRHdZlX4pUCpx 79pOonjHNTNuhjOPLlzai0ooWBtloDZfNGoFRVNNJv/hGvVM+wARAQABzRtCZW4gUmFtc2V5 IDxyYW1zZXlAcGhwLm5ldD7CwZQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW IQQ5tkE0PYwQSysUbcP5w53AuWmFRAUCZ0+z5QUJCrEVAgAKCRD5w53AuWmFRLkPD/9m2OrW H4oXvgbxxmwSKruWndrQda/1WwfMCjWI1uc6fJfZZlN6SHQ//HXi84ZTttDNOSjOl40g6UkB At+No9gJkTELe6bLJ/v2apJ3tothdQltJ/AQJ1Nvong+cv0QGdw6VeQmb/gh5PSfo427N95N d0BDZVFERqU7NnnZv/T+LUDJBXUESSIDTM6KCWA9EU5Nc9P1D/1GlIza9s5H3VA5fMFwuK4H 2CuKyPdLhsk6lvdl5yHUN81w+Z6Jue9DzfW9N4Z1//CzM8dVP2TVaTmVGDr/CekvwXTNZ4kN ylDJCS+KKQr7oXkltWo2xlX7oPP8LNk2fU/XMVDS8vgYiuGMKw94gyVOBe/dwFcQCT7mVyXI l/sMqmXqDhGnCFZwL9sfFbfDDl9NFzNRG7c4pNMfmQLdnVBqGg05uDze0x50G12/65bT5U3y eCPIjtHLTqYWFOlWJ67UlQ4AJDTWOlq4ccBRGtIIuHQ5gxn6zfbvCvMiUA9A/diWuVXWy/u0 Rbq89ton5x3tRsHa+C0cDoiOBJ9Q5mHAqtz+VzZh9PStPCOIvSohm/XzcBv9bHxJyMrYMmQZ mCuDKf1AK6rqN4YHqQMvpFFLMQyo1EYol8yxLiO+H4uOCFrHu/kwotfK61TH9LsxgHUo1Dl/ vHtU8KMqb2KpwMllMexpn/cz0fFmL87BTQRpJQwSARAA68JT0pKCseOkCE8lrV1fdyfAHpZl Gr4QypMABxcE3fNjD2uUm3RIUdHvV64u+M/braCs9JFI7V+f0f9Jdsa1zKqvvNOgIgp6jgtu b9cBv66g9i92XFDll50rlMYYGe5nJnQaQtwIUxdqrdHyjqexz+tWcZKbacsvAZun5pjeXXoW INmPl9sRoLP8QF02LNwVi0/nNbHl4N2fC4Cm5qDLBPneqDeN+akos5uf+lUbF0Ymf9JB10qQ HEeB/Eezaiy2DPkFnk/1n/Qc/B/5HDjwNW1M2uzZ2yVOM726fZlU5tw0QIr5nawFgGJcxR4E 0FGvvpMMBjfHoFy2jshKLSJzRY6mZV5Dq8wPXtb925Ut1rmu4PrU9YEFW/umsWxXSasvqwsJ SH8/Gz/odv2sxfJxyu6rTNJnLGx3pyfhZHOoPrqyvykHgC7d6v6jpn7Ih9Pk5Bg1/VBkEoLp 8uS0D9jhUkU9cJyyC8reJK3RKx0oCi14F+oGSa8C5bUqXPfWESCaZXbvbS9hyJlkBGCl0P7X sVyyJyRsdjSWBm1t7x0tNQzLlZWQ5AeHtUYW4IsfRwuQVDQW5OEhJy/FSjuf6Cnihv3jsFo6 7RXHvM7EwKUdwFg00pIW9Q2BSmB1K8TETxuno8vmnswJmaSrNlgPUnk986inabiSTOgwhZnp yZ/JOIEAEQEAAcLBfAQYAQgAJhYhBDm2QTQ9jBBLKxRtw/nDncC5aYVEBQJpJQwSAhsMBQkC E0xzAAoJEPnDncC5aYVEr9oP/iZ2CmxEYafXTgpJKvQ6plCoYjh/jyyHGjmfVc6z7niHWBAP kesk5wsXfy74g1rB8VMOAPuvDSdqx6YumhRh26PwgPVPsVZrw6J2n5mgMg6Lx0O22eS4rZEY MqtjlrFHfPQPHkpnJkynOH9RXtGibLdXgOC5ydPoAeA7Hg7Yxs33RbE65M9pjlWfvnT/mWCD Tc2iSN2Mbmkwf4b4o2lRfqRv42v9khN/TtZ1QQ5UYrevG+Tzoe53MRtfBizWQicg36OB5pok 2sa3tqq/08feLiPMJulMXNfCIsZdKPhjWAS+MpeKMeqHQ8CqLV27DHpBkD7JD4SaAquGjSpo S1wigBW8xDDyojeQ8itKLwc2AZk7KLd9I4I3xdmCInlobx9Irg3sv0GphzDLhUDppFW+qhQi BWOqCmVb3785peZaIygwPz+vA7NnZEtrtNGISzyRG+6OXkVg3uIL5lnclGqVrkYke2xWSJs+ nb2qb6GKavsQWu0U2viSbOyB0M1X7z3lAfoZotrWgjcGITmKchnJEGH+jbgqZAd+GkMaSPb1 DK2Owi0N9zkenK4iK59YQMS+1FQ2jl0LASxpM4Z8TTGltMlPf0zLfvl53G6zy7PSwWQb/9HW lriTmGFIiYCxyeMfpFgJxK3CLFq7qqF2bh4s8Z84m8qPDbW5XWgzEe+vZoCH In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Posted-By: 96.61.170.179 Message-ID: <20260315141049.161081A00BD@lists.php.net> From: ramsey@php.net (Ben Ramsey) On 3/15/26 04:17, Edmond Dantes wrote: > Hello! > >> However, this proposal would put a completely unrealistic burden on php-src maintainers. > > It seems to me this is an organizational problem that certainly has a > good solution. > In my company we also use something similar. > In practice it does not require that much effort. Moreover, right now > I am doing essentially the same thing for the TrueAsync project: > > - the php-src code is updated > - tests are run > - if the tests pass, the code proceeds further > > I am doing this manually, although the process could be automated. > TrueAsync currently has about 18,000+ lines of changes in PHP-SRC. > Over these six months my personal attention was required only 2–3 > times. I can confirm a similar experience with other projects as well. > A large number of different solutions can be devised here, both at the > level of flow and rules, and at the level of technical approaches. So > yes, it is a problem. > But it is a problem that has a solution. > I worked on an automated release workflow[^1] for php-src a few years ago, but after discussions with others from various major project communities (including Apache, Linux, etc.), I realized the solution wasn't workable for one main reason: An automated workflow cannot sign builds and still be considered secure. Builds must be signed by a human on the machine where the build took place. Automating the signatures in the cloud significantly reduces trust and greatly increases the likelihood of a bad actor gaining access to sneak things into the build (e.g., through compromised GitHub Actions, etc.). This was the nearly universal advice I was given by folks from other communities in 2023. I doubt that it's changed much since then, and especially with the rise of software supply chain attacks, it's probably even more relevant today. Cheers, Ben [^1]: https://github.com/php/php-src/pull/10604