Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130351
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 7C8621A00BC
	for <internals@lists.php.net>; Sun, 15 Mar 2026 15:46:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1773589575; bh=j0C8qlvx3jVUfUpPWAjKZFa/QGzfL7ZunASgsPgYOrc=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=bIzz5kQ5uy+aGwakByD8iMtD4GIWGDEGLypFml33DCyhWhVbnAv+Ob+nrVXEigA2D
	 ZwYRGY+VLZFB5P6kLia+kGTQBBabnwmklrH9gOPJt2fomhTqr3OtAraeBdtwSHhP13
	 ujoiz2c65Ni4PBRGuFqI0NKIpT66vt/fBQ/3Ffr+h2hVcD94PQjY2+LOcOIMHngfcN
	 G4w5UAlGTMYufzblqnAoJyh9AHWBrKwuxE3r9rEy/SS7NP5wt+8quoWcDIuAf7wOgE
	 nBsHw/zqCHNTIa2YSZnHrmM/4RQl8uQxPT97QcoeKlxT1cVdGWuqfHgCd2mjSxfvSi
	 24c4gfq90XULw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 43D6E18089A
	for <internals@lists.php.net>; Sun, 15 Mar 2026 15:46:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <daniil.gentili@gmail.com>
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 15 Mar 2026 15:46:15 +0000 (UTC)
Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-439afc58ac7so4425115f8f.0
        for <internals@lists.php.net>; Sun, 15 Mar 2026 08:46:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773589569; cv=none;
        d=google.com; s=arc-20240605;
        b=Q8ZRmn7MP3BeoDBsUhIsb4xy18BIZg2WblGdi+wiZuq5YDOBFO5ntiy8dnhkRZKLmV
         FDhQzdHIDwAEu5IpBbfRqNWuKuQc3DJMem5Pxb8uv8vwwt6ltB8p4Kss3+gRlntGIW7r
         ZFFuP9EMVNPb9n841UjxortGEpFyYp8417ikfbMZ31L+Mv/AGMiHchNhnL7PNrCHesyo
         4Ee9lwy703TFcAGFUMBprnOR94Qe/zIBOvK+a2PXyXJj4mUa0TLUJBxp1gJYIvKvSZEu
         U66yojnuNwUHorxSKHriwQtDA6xalZLqNXJU4acR5O0XL47khSiiWf3pJuQVcfbe7yPu
         33hQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=j0C8qlvx3jVUfUpPWAjKZFa/QGzfL7ZunASgsPgYOrc=;
        fh=XzAk3XSyZVAoZqbnvVfKIgp4sCjuqqhl18rR+Zr44ag=;
        b=H9AIoY7uvCgbb52waC4EdlQeRaU7UcM9iQiTWOUfJB/YTZJZquJ81I+WuRdeAFqlLU
         Ga2H1EHCeHxP76P3gKJQXGPPgC7msW/ZZrlB84yXINtXzwiSgrps5GlUyrEEHKMMVnlP
         mrhFGVT2LICL7x9HZpCW73EQYxnQLk87XvR8FQR1qg3w9rLQQabOtrJ3jG7bTVBJGkb0
         qAyfLMd8BO7jJTGgLQG/qmGyHrA9EVYGmQFPZr2H5jyH7Ty3AKv+0WOu2gijmxfdDFer
         NCWXhKyglHWD1dFknC/CMOPj3G7YVes1uFDZkvUX++gimvXz0KyF+L1B+dBDkNu+OV+E
         3ZVA==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773589569; x=1774194369; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=j0C8qlvx3jVUfUpPWAjKZFa/QGzfL7ZunASgsPgYOrc=;
        b=XH3gdjz/c1NCoOTZbWkqWlx6BnKpkzNwWwqH04/EF/8ZL+NtTzMFVxzaeNYt5pYeSt
         lD3nbNEjb14x/kyAfqEHFMpr1f+WHQtzE1ulBUPDsB9jK+xz/rk4nY9je4n2i3oYsY6M
         FJhpBiugiJcxT7nEGjv/t34NmR35EE6kpDVdJ/Te3GA1uw0WF2IZ2xG/9TlTOf+p6Xj+
         paYbthYUoyCYCupZmo5CKwfpYZqQKPGPYIC0LWP/KK8mVdN0vzLd9j2TIr5wUusup+aT
         a6jlGRIP++/ZnVaFsu4ChYoBLSTCdafm4NBE3+qyhvWvq2JCTU3eRwwFu94n5QpN+9Eq
         6uIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773589569; x=1774194369;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=j0C8qlvx3jVUfUpPWAjKZFa/QGzfL7ZunASgsPgYOrc=;
        b=Hm1tTtIa8n9vOXO0xm2SM92cVUJejvcxp+HmVGu0aFSZjK3TwxhsFTRVmnuZ0EVuse
         /MhNm3eUUzmOsatwI9krkEoFvuw9zuYx1QhH+5AINhdsyCmvIIYioIKZ7OAA27tIJ+uW
         1cpQJGzqtJ3M9uObGsfezOY9chJKl47x/tISNA3LxiPkS0SIN3nd7NO2uHTajaUygJEp
         eXxwo/FaN/ZVdPKpyl80HDnkYdKxGaNerazstnPgEc8p5z3OWckYdr8c8F+QehEc2NgH
         cD4iEC1BVmaDvR88iCB26MoqjC86wc3hXZe1/iw0D7pSqoK0+unV8nrlDTzrUzterl6E
         D4Uw==
X-Gm-Message-State: AOJu0YyDNRM2+tpqw/DDphI3I5gFhOjGF2YIZFWUUigs8aZpfl6iaNFE
	WWf77+YCWrdoKanrgfTl7CXYxoz+5l9rye3OKp+itEnw8pwE1yRT2NkFBcq1ujuvglxEqwex5KR
	rxE/MIll9pIGguAsdox+2uY0Tp+s5QAbfOw42
X-Gm-Gg: ATEYQzyPQbziQ8wxTacaBu3q+oAN/iaQYDv3sqCyArCm4eSWYQ50ZJVP27qA23/fi62
	oiKTYgS8DYVdiu0n5o2lvWdxgYZSvIWcfDtmMnxzh3iTaWc4cInZtZt3oSsc0C0aoIlvDW81Moq
	3/PQ0YkTcGfFPa2Aw3sbyPlGG0R50LT2i/htetavVVM2jpZOLlzUiB45CEKFythCTGoNKbu6PMA
	f/ciarEK82yVpCCdSWVpEREt+wYyWqcZxtOSEksCHFQufgrvLMCQCArNWnYRwcHV0c5Y318ySmw
	izIzFk0udcuGuOge2WAb1Rd0s8YDsI/ea86m
X-Received: by 2002:a05:6000:24c1:b0:439:b1c3:84c8 with SMTP id
 ffacd0b85a97d-43a04d8c957mr20238088f8f.21.1773589568712; Sun, 15 Mar 2026
 08:46:08 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com>
 <CAEKnhAFH52dvOoJzW5OwfEy1fKnpTAQd9fjMZAsjML7voC3EbA@mail.gmail.com>
 <CAKXKfQsvF33tfuAF1t+GYAGcJA8H8QChQVp2YNODCLTmioHbkA@mail.gmail.com> <CAEKnhAGaO_6GSZ1+-6bwQs8XafWDxxnxZ48Am1D5Ad8XDWsroQ@mail.gmail.com>
In-Reply-To: <CAEKnhAGaO_6GSZ1+-6bwQs8XafWDxxnxZ48Am1D5Ad8XDWsroQ@mail.gmail.com>
Date: Sun, 15 Mar 2026 16:45:57 +0100
X-Gm-Features: AaiRm533BQM7Dmk-qZYtubsT6DyZZ0K4rL7Hqp0DpNG1jc_ae0qVIIo4CKtsvag
Message-ID: <CAKXKfQsEQvJSzmHxAAkuW33FcMcQPaaF_ri-O3EDNbYtcZr7zQ@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP.
To: Jakub Zelenka <bukka@php.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000003872f1064d1200c3"
From: daniil.gentili@gmail.com (Daniil Gentili)

--0000000000003872f1064d1200c3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Il dom 15 mar 2026, 16:36 Jakub Zelenka <bukka@php.net> ha scritto:

> On Sun, Mar 15, 2026 at 3:51=E2=80=AFPM Daniil Gentili <daniil.gentili@gm=
ail.com>
> wrote:
>
>>
>>
>> I don't understand the security part. Do you mean that people could
>>> report security issues for those community branches? If so, then it's
>>> completely unrealistic as we are already struggling with handling secur=
ity
>>> issues for the current branches.
>>>
>>
>>
>> I honestly do not consider seriously any argument based on "it's too muc=
h
>> load for maintainers", including around security (which is still a
>> responsibility of feature owners).
>>
>>
> Except feature owners won't be able do any triaging, security impact
> analysis (deciding whether it's a security issue - this is done by the
> security team), allocating CVE's, test the patches in our security repo, =
do
> the security release and publishing / updating all advisories. And I'm no=
t
> even considering extra reporting will be required by CRA. So I think you
> might be underestimating the amount of work for handling security issues.
>

I do not underestimate it, I simply do not consider it to be a problem,
given the context of PHP needing a LOT of new features in order to compete
with modern languages.

Userland has been pollyfilling them left and right (static analysis,
amphp), but this is not the way forward.

A serious discussion needs to be done around a simple question.

Does internals want to keep PHP mostly as-is, in de facto maintainance mode
(just security fixes, no expensive major features) to reduce the workload
on maintainers, and slowly creep into irrelevance?

Because this is, put bluntly, what is being proposed.



>

--0000000000003872f1064d1200c3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><br><br><div class=3D"gmail_quote" dir=3D"auto"><div dir=
=3D"ltr" class=3D"gmail_attr">Il dom 15 mar 2026, 16:36 Jakub Zelenka &lt;<=
a href=3D"mailto:bukka@php.net" target=3D"_blank" rel=3D"noreferrer">bukka@=
php.net</a>&gt; ha scritto:<br></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div di=
r=3D"ltr"><div dir=3D"ltr">On Sun, Mar 15, 2026 at 3:51=E2=80=AFPM Daniil G=
entili &lt;<a href=3D"mailto:daniil.gentili@gmail.com" rel=3D"noreferrer no=
referrer" target=3D"_blank">daniil.gentili@gmail.com</a>&gt; wrote:</div><d=
iv class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
<div dir=3D"auto"><br><div class=3D"gmail_quote" dir=3D"auto"><div dir=3D"l=
tr" class=3D"gmail_attr"><br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div>I don&#39;t und=
erstand the security part. Do you mean that people could report security is=
sues for those community branches? If so, then it&#39;s completely unrealis=
tic as we are already struggling with handling security issues for the curr=
ent branches. </div></div></div></blockquote></div><div dir=3D"auto"><br></=
div><div dir=3D"auto"><br></div><div dir=3D"auto">I honestly do not conside=
r seriously any argument based on &quot;it&#39;s too much load for maintain=
ers&quot;, including around security (which is still a responsibility of fe=
ature owners).</div><div dir=3D"auto"><br></div></div></blockquote><div><br=
></div><div>Except feature owners won&#39;t be able do any triaging, securi=
ty impact analysis (deciding whether it&#39;s a security issue - this is do=
ne by the security team), allocating CVE&#39;s, test the patches in our sec=
urity repo, do the security release and publishing / updating all advisorie=
s. And I&#39;m not even considering extra reporting will be required by CRA=
. So I think you might be underestimating the amount of work for handling s=
ecurity issues.</div><div></div></div></div></blockquote></div><div dir=3D"=
auto"><br></div><div dir=3D"auto">I do not underestimate it, I simply do no=
t consider it to be a problem, given the context of PHP needing a LOT of ne=
w features in order to compete with modern languages.</div><div dir=3D"auto=
"><br></div><div dir=3D"auto">Userland has been pollyfilling them left and =
right (static analysis, amphp), but this is not the way forward.</div><div =
dir=3D"auto"><br></div><div dir=3D"auto">A serious discussion needs to be d=
one around a simple question.</div><div dir=3D"auto"><br></div><div dir=3D"=
auto">Does internals want to keep PHP mostly as-is, in de facto maintainanc=
e mode (just security fixes, no expensive major features) to reduce the wor=
kload on maintainers, and slowly creep into irrelevance?</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">Because this is, put bluntly, what is bein=
g proposed.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><d=
iv class=3D"gmail_quote" dir=3D"auto"><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div d=
ir=3D"ltr"><div class=3D"gmail_quote"><div><br></div></div></div>
</blockquote></div></div>

--0000000000003872f1064d1200c3--