Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130349
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 270411A00BC
	for <internals@lists.php.net>; Sun, 15 Mar 2026 15:36:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1773589018; bh=VGg1eHXnajB23JCRxIJHUgNPHop5OourUJL/HPRAWsM=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=dq7D3zDjmJjqlnqKc3vlLQCtpGW+ShNSdIjEOnV9P8fvPuh+nMIcKw/6MNe612vM7
	 Q7LaJaTGynbfXB9/hbH0zNMXlp/a2g3uUyqoWn/kDEpBQuvrJZ635aCf7TOOJhLZaQ
	 lFBaDeI/UU7X0yafg0YCWj7Uv8W/WVy3OfRRxjbENUHjksdm+g9MD4nL2VpZbsM+i5
	 WWznv1q5A12A4njgwZqnIqM30k3e1uTdTSyFHVMduXuNyN0SdiA8hvJ+JJCV0wWLKo
	 6N2MxOluja2h23uohWmnpvRDoMOGKekr4UHvBBfLUr3mw6WmU4IWo4KKad+lNcIM/9
	 VW9GrDbVQQXmQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D1380180341
	for <internals@lists.php.net>; Sun, 15 Mar 2026 15:36:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DMARC_NONE,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 15 Mar 2026 15:36:52 +0000 (UTC)
Received: by mail-ot1-f51.google.com with SMTP id 46e09a7af769-7d743ba241aso2001662a34.1
        for <internals@lists.php.net>; Sun, 15 Mar 2026 08:36:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773589007; cv=none;
        d=google.com; s=arc-20240605;
        b=EOd4uT64nNOk9c/PmN3rUXe27BOVd4gQRD0Pe/T3ZgLiVSM4tDMMQUGoO/FQcP0lmW
         0a4VPaVH6sXWiVtZOZ/EvTCZHl0Zu2R1g4djxWxIOoRkG/ishyA+DRcF4CM8hwmmoZ/r
         Be4x1oTxrhWFdboCOWMKooxBNhrKH2r9DuLb/V2WNaxIJiJ278/YobV2vjhfncTyobDM
         It/uhNvjP+xggWcy43SJaXMA9vSK2UqISy8Ic6Pf+S1DpcdfNOqAlLNsG3Slp3LaCJWS
         pt52LyHWkKDPSEHrhBHiNQqQHpOtiEsYz4IAtR3t+d2KK7rwsHSMgN99+VyV34widskp
         9XuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version;
        bh=VGg1eHXnajB23JCRxIJHUgNPHop5OourUJL/HPRAWsM=;
        fh=hCmon5iKmCCQMgpdKtIpIPK205gR2+C14ukP8uzRMPs=;
        b=UXhQ7eKwof60xVgXXndd345TaZftB6rdchStGNxWWSniPRQtIs+fv4+Uaxr4mP+PIG
         0c4FLJs4wZt9tEOBSAanzLxyreme/Ddk0TXMcUniDXhi2x3Z0kM0akcm1Bm7AjbOImSC
         2PpbTgk/gyijwORxOM+NXFxR8PsYtfkcefkKQXFK4X36KvL5Fh4Ge9+H2S4oTFJESVpl
         kup50X9sVErTUeHBoL6XxLj4VblnMZ8EALoXTWr4TLcbHVqTyda87zjl2T3dF6968RNT
         lODdjcoxlwyXTz/Yq3FnrlItl4wXMXn+CUNpVp9iEHFyifdgUQTlxntpRYPUilrR6nky
         igHA==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773589007; x=1774193807;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VGg1eHXnajB23JCRxIJHUgNPHop5OourUJL/HPRAWsM=;
        b=UJ3WdtXVGGz+f6ZFs2DraryupWE/kFe5zHZIyZC5Mbag1VlCqcSLg+r5PcNg7rHGmH
         ZRmAek0zP9zmoVCg3TvOR2czHfMChIy2tEDqzz5znyGRPiGJeTyVhrWDArOnVoF+wJdz
         Ng5OPh08Xacb9AUqi41lG9pXmy4Uu0CGFio5DrGmRBtthzWEM9nrtVH15a1f0IiA/74B
         7L2cvTc1lXS8KNyPwE118f0oGVX7/jMrXoNZ2VPyEK/AgCOcKTO3wcJc/PW3nLaDUw8k
         juEly5BCXugXIWAzbNVO78S4GW7oMbbfe6+JjiNtXr8ytn06dYrrJXQ1vz3JkUNGbZYM
         f2rw==
X-Gm-Message-State: AOJu0Yx/CU/16Erv+riLUP8bVhgZNV8NlFG7v+ExmtFRrTATeRTXAYxu
	P+KSHsISL8N/xY+qrI+WATb3iEFnz1wB+wUv31AYaFbjzjGv20EGBq/SP/2l14MUrhJJtGyEvTe
	lR+FxWccjCI2tUv4yXOxaPipwtduU1Zo=
X-Gm-Gg: ATEYQzxi0/gtL/DC9s7fVvgPmH0T5v6M+vqbrJ8GuUvV/kofpKzxxbpgLejSih8+rMN
	FZAkjDZQAHHSL9D2qwJtd9EkHZ8/eE6BIRhwi+UDt4H03h2PZmg0c/EVl7cNIuYVQRyLpE4GSFm
	UGM80/k1N9H/xPa7rgI/5BDjo3DZsUq+1hTzMRiyTTMqaauIE06CXEMzztZxX4AnaPAuKU61adO
	F2usxPoCsnnNNpB51/JGthS+9NK1/WMHHclZiQazAJ67gGkPk6hFmcEuDOlDox8/9lpTwqElNcj
	WnrTBw==
X-Received: by 2002:a05:6830:f82:b0:7d7:51af:4aa1 with SMTP id
 46e09a7af769-7d78250c6damr6439256a34.18.1773589006981; Sun, 15 Mar 2026
 08:36:46 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com>
 <CAEKnhAFH52dvOoJzW5OwfEy1fKnpTAQd9fjMZAsjML7voC3EbA@mail.gmail.com> <CAKXKfQsvF33tfuAF1t+GYAGcJA8H8QChQVp2YNODCLTmioHbkA@mail.gmail.com>
In-Reply-To: <CAKXKfQsvF33tfuAF1t+GYAGcJA8H8QChQVp2YNODCLTmioHbkA@mail.gmail.com>
Date: Sun, 15 Mar 2026 16:36:35 +0100
X-Gm-Features: AaiRm52av7teF86cChHTwbc3cJvd96qEIULJYhHKYls64LO8VIZ601xvGJRPOs0
Message-ID: <CAEKnhAGaO_6GSZ1+-6bwQs8XafWDxxnxZ48Am1D5Ad8XDWsroQ@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP.
To: Daniil Gentili <daniil.gentili@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000bd1f83064d11de85"
From: bukka@php.net (Jakub Zelenka)

--000000000000bd1f83064d11de85
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, Mar 15, 2026 at 3:51=E2=80=AFPM Daniil Gentili <daniil.gentili@gmai=
l.com>
wrote:

>
>
> I don't understand the security part. Do you mean that people could repor=
t
>> security issues for those community branches? If so, then it's completel=
y
>> unrealistic as we are already struggling with handling security issues f=
or
>> the current branches.
>>
>
>
> I honestly do not consider seriously any argument based on "it's too much
> load for maintainers", including around security (which is still a
> responsibility of feature owners).
>
>
Except feature owners won't be able do any triaging, security impact
analysis (deciding whether it's a security issue - this is done by the
security team), allocating CVE's, test the patches in our security repo, do
the security release and publishing / updating all advisories. And I'm not
even considering extra reporting will be required by CRA. So I think you
might be underestimating the amount of work for handling security issues.

Kind regards,

Jakub

--000000000000bd1f83064d11de85
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sun, Mar 15, 2026 at 3:51=E2=80=AFPM D=
aniil Gentili &lt;<a href=3D"mailto:daniil.gentili@gmail.com">daniil.gentil=
i@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_conta=
iner"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto"><=
br><div class=3D"gmail_quote" dir=3D"auto"><div dir=3D"ltr" class=3D"gmail_=
attr"><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"ltr"><div class=3D"gmail_quote"><div>I don&#39;t understand the securit=
y part. Do you mean that people could report security issues for those comm=
unity branches? If so, then it&#39;s completely unrealistic as we are alrea=
dy struggling with handling security issues for the current branches. </div=
></div></div></blockquote></div><div dir=3D"auto"><br></div><div dir=3D"aut=
o"><br></div><div dir=3D"auto">I honestly do not consider seriously any arg=
ument based on &quot;it&#39;s too much load for maintainers&quot;, includin=
g around security (which is still a responsibility of feature owners).</div=
><div dir=3D"auto"><br></div></div></blockquote><div><br></div><div>Except =
feature owners won&#39;t be able do any triaging, security impact analysis =
(deciding whether it&#39;s a security issue - this is done by the security =
team), allocating CVE&#39;s, test the patches in our security repo, do the =
security release and publishing / updating all advisories. And I&#39;m not =
even considering extra reporting will be required by CRA. So I think you mi=
ght be underestimating the amount of work for handling security issues.</di=
v><div><br></div><div>Kind regards,</div><div><br></div><div>Jakub</div></d=
iv></div>

--000000000000bd1f83064d11de85--