Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130355
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 540421A00BC
	for <internals@lists.php.net>; Sun, 15 Mar 2026 16:33:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1773592420; bh=AaU/X7nxOk9EK3MIxYKAx1+fexBA0IaCMY7q7fQC/U4=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=Y865oWlJ7YHOvMWW4QgkyvVemOdkEvqBqgKL+vJpOahL6nUljKLjdX30wVIMoM3jK
	 khH10KQbcC7CcsWIJtn5Vjy0u3Xmaiyc1LBDg2yBTUX7sUlCPSbtRHw4/CbpVBj58E
	 6QX5P4tPqb15Xuos5U4NJc2wxlT/ndjJlgVXy8c1MZpEI2aCsL/3IhOjxysoGuZA5d
	 j2cLm3pd74L/wX8bO7UwjRUTgjYiVFcQGjMH0NZ0T43cL+RwfQaKu+e8o1ymx0XHI0
	 jiJkFnB/N+rMeDFex2ifZpDG6OpCBCQFfh2GUP7+hWvaMzP79qkv2fDVr9fNd/jSo8
	 gQ038CsUPi4bg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2E2F9180057
	for <internals@lists.php.net>; Sun, 15 Mar 2026 16:33:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DMARC_NONE,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 15 Mar 2026 16:33:28 +0000 (UTC)
Received: by mail-ot1-f47.google.com with SMTP id 46e09a7af769-7d7851e2cc4so2266302a34.3
        for <internals@lists.php.net>; Sun, 15 Mar 2026 09:33:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773592403; cv=none;
        d=google.com; s=arc-20240605;
        b=Cg6GZEJlTQmAuEC/b6MwhI21jMZvY+JtvagoqFBCUIh4kiLCdLWPh6oA7Uix14ynIQ
         xxTZExl2R21G24TyFuoq7fKE1qBHk09cnfLaPPqiLVCDpi9sRGtpKiuXhhxQIHwgLkWa
         TBpN8u6k0TAfxibFqdS57vGbVf2wym+x2feWFh7ZFY3I8dJPVXWyaBBY1dv2dLCbiXdv
         BLFXohRv1Sk4CGteamlKJCV1MgeFv4Xm+4DrL+WhAVqhMzsdXeiY3/0ue3dx2NLFZDKA
         xG9lDt4aGlsmg9YQLbNWQH3TRPdwhdTh94aFev0Rn7ijA7mOeCRkPGMbS60yAnwridQs
         Sw9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version;
        bh=AaU/X7nxOk9EK3MIxYKAx1+fexBA0IaCMY7q7fQC/U4=;
        fh=hCmon5iKmCCQMgpdKtIpIPK205gR2+C14ukP8uzRMPs=;
        b=MaPT9UIBLwObFABQyOLOuomp6jNUDkddc9zYilBw1JxJz2/mzY8zgNkS6fgFhNnTs5
         7twelAAr/YrkQTGHrYpkYgfHCIeuglL/8ih1JHN6eEZKlXIwiDF8xIy3mr1bzJNl28I2
         csZgpWzOmyze0/OjCKh5Y4D5Q0Xt2OujUhL1xMLO793mY8dfiZKLP3V/Do1PrWG0P5Jm
         G1vl32gqf3gu/pf/xcv4Zjm/axIl/htIcAKjxEDekSFzS2ZTcEAbG3KpZw64tPk3Bsby
         OyXQKWE22BLBTXw1LYcT/45ZkF+9kb2UF//Z/oUoLnQ1d4u/eMrkrqmS5UAurmGFsQy0
         R4zA==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773592403; x=1774197203;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AaU/X7nxOk9EK3MIxYKAx1+fexBA0IaCMY7q7fQC/U4=;
        b=Ap/utnfoUOsYpMNtkz9NYOsZ99+3y77XahaqA2gbF9IQ/ecds5WuLlfVLqCiiapUGE
         2RAeIWjY4HNVPmCHz1qpEyH0k+6R8fL3vrmWCME9gB68kteXqXtMNDsILf1sdTc2sR6X
         uc9BPGtJoZNStIqQnA8rAONk8orv6FVs5ha0wDQpSYtzuxa4dohvN278/YEUskyxXBb8
         crFj682NxJx/ztGxh4TTZstHiaGQMaJm/bZbGP8cu6ESzUBUkIQEg5N33hT27LyJTA6Z
         /Djgj2VKOP/vGRiRrTfkxKTQbY+ksBrBYRnUJzGszQ+021kp4XhvodZKAdb+pcrMHAL1
         HszA==
X-Gm-Message-State: AOJu0Yw0EavWUVzqx1KQFNk3ZwrMWMjB1Q0jL+Ri13eQ0B/cQ1ut0v2i
	P+jmAQqSuTT/r3Sxp/bv/8y5dAiz2mrWyoQvhHMQTk/hkldoTs8ndNdZPJLRmvKTOv30Vj/Zm14
	YUnZrzur0OxH1o1jyu7HcbcBTYJKkENw=
X-Gm-Gg: ATEYQzw9hODmFWVUfMvFUqjl7KeWxviAP73NP14SJ7FIxAxAG3VhA1xy02je16Lw4P3
	WZmZSuyEU7HADpcIBdOevDicEuUOxil9PT7zc8E4xzt7KIMVKygfDhia0idgv79WjPBUzwTPZ5X
	F1k/8hK1yXb5tI+JYuBvIEjC8FUwysGvQjQ25guL/YTkzhRGSwSLcvLqH2BLq82A9NIHhq3YCdv
	oV2pW6+Ge6xZAD9QWISzFgVzfwVLBbxE6hR5HLaU+JedOF3ACsIjLrAL4/hC6ObycC+zcxqF9He
	knMmohncF6SuH2H+
X-Received: by 2002:a05:6830:6a11:b0:7cf:db0f:c824 with SMTP id
 46e09a7af769-7d78261af77mr7596037a34.32.1773592403432; Sun, 15 Mar 2026
 09:33:23 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com>
 <CAEKnhAFH52dvOoJzW5OwfEy1fKnpTAQd9fjMZAsjML7voC3EbA@mail.gmail.com>
 <CAKXKfQsvF33tfuAF1t+GYAGcJA8H8QChQVp2YNODCLTmioHbkA@mail.gmail.com>
 <CAEKnhAGaO_6GSZ1+-6bwQs8XafWDxxnxZ48Am1D5Ad8XDWsroQ@mail.gmail.com> <CAKXKfQsEQvJSzmHxAAkuW33FcMcQPaaF_ri-O3EDNbYtcZr7zQ@mail.gmail.com>
In-Reply-To: <CAKXKfQsEQvJSzmHxAAkuW33FcMcQPaaF_ri-O3EDNbYtcZr7zQ@mail.gmail.com>
Date: Sun, 15 Mar 2026 17:33:11 +0100
X-Gm-Features: AaiRm52iEFE21GpOC0WBXY7LrDove7TeVUBbVKUOkbG21r9k-nPf03E1G-BnaY8
Message-ID: <CAEKnhAHXBrB2PwJ6R1foT10t7HP4y1qhg4eGyfz9g-qup7aeHw@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP.
To: Daniil Gentili <daniil.gentili@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000002ed916064d12a93e"
From: bukka@php.net (Jakub Zelenka)

--0000000000002ed916064d12a93e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, Mar 15, 2026 at 4:46=E2=80=AFPM Daniil Gentili <daniil.gentili@gmai=
l.com>
wrote:

>
>
> Il dom 15 mar 2026, 16:36 Jakub Zelenka <bukka@php.net> ha scritto:
>
>> On Sun, Mar 15, 2026 at 3:51=E2=80=AFPM Daniil Gentili <daniil.gentili@g=
mail.com>
>> wrote:
>>
>>>
>>>
>>> I don't understand the security part. Do you mean that people could
>>>> report security issues for those community branches? If so, then it's
>>>> completely unrealistic as we are already struggling with handling secu=
rity
>>>> issues for the current branches.
>>>>
>>>
>>>
>>> I honestly do not consider seriously any argument based on "it's too
>>> much load for maintainers", including around security (which is still a
>>> responsibility of feature owners).
>>>
>>>
>> Except feature owners won't be able do any triaging, security impact
>> analysis (deciding whether it's a security issue - this is done by the
>> security team), allocating CVE's, test the patches in our security repo,=
 do
>> the security release and publishing / updating all advisories. And I'm n=
ot
>> even considering extra reporting will be required by CRA. So I think you
>> might be underestimating the amount of work for handling security issues=
.
>>
>
> I do not underestimate it, I simply do not consider it to be a problem,
> given the context of PHP needing a LOT of new features in order to compet=
e
> with modern languages.
>

But we just don't have those resources in security team. As I said we are
struggling to handle the current load. Things might improve in 2027 but
that's still not clear if we get some extra resources. If we do, we would
more likely want to spend it on the current backlog and improve other
things though as there is a lot to do. So I just don't think something like
this is realistic.

Kind regards,

Jakub

--0000000000002ed916064d12a93e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sun, Mar 15, 2026 at 4:46=E2=80=AFPM D=
aniil Gentili &lt;<a href=3D"mailto:daniil.gentili@gmail.com">daniil.gentil=
i@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_conta=
iner"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto"><=
br><br><div class=3D"gmail_quote" dir=3D"auto"><div dir=3D"ltr" class=3D"gm=
ail_attr">Il dom 15 mar 2026, 16:36 Jakub Zelenka &lt;<a href=3D"mailto:buk=
ka@php.net" rel=3D"noreferrer" target=3D"_blank">bukka@php.net</a>&gt; ha s=
critto:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"ltr"><div dir=3D"ltr">On Sun, Mar 15, 2026 at 3:51=E2=80=AFPM Daniil Ge=
ntili &lt;<a href=3D"mailto:daniil.gentili@gmail.com" rel=3D"noreferrer nor=
eferrer" target=3D"_blank">daniil.gentili@gmail.com</a>&gt; wrote:</div><di=
v class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><=
div dir=3D"auto"><br><div class=3D"gmail_quote" dir=3D"auto"><div dir=3D"lt=
r" class=3D"gmail_attr"><br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div>I don&#39;t und=
erstand the security part. Do you mean that people could report security is=
sues for those community branches? If so, then it&#39;s completely unrealis=
tic as we are already struggling with handling security issues for the curr=
ent branches. </div></div></div></blockquote></div><div dir=3D"auto"><br></=
div><div dir=3D"auto"><br></div><div dir=3D"auto">I honestly do not conside=
r seriously any argument based on &quot;it&#39;s too much load for maintain=
ers&quot;, including around security (which is still a responsibility of fe=
ature owners).</div><div dir=3D"auto"><br></div></div></blockquote><div><br=
></div><div>Except feature owners won&#39;t be able do any triaging, securi=
ty impact analysis (deciding whether it&#39;s a security issue - this is do=
ne by the security team), allocating CVE&#39;s, test the patches in our sec=
urity repo, do the security release and publishing / updating all advisorie=
s. And I&#39;m not even considering extra reporting will be required by CRA=
. So I think you might be underestimating the amount of work for handling s=
ecurity issues.</div><div></div></div></div></blockquote></div><div dir=3D"=
auto"><br></div><div dir=3D"auto">I do not underestimate it, I simply do no=
t consider it to be a problem, given the context of PHP needing a LOT of ne=
w features in order to compete with modern languages.</div></div></blockquo=
te><div><br></div><div>But we just don&#39;t have those resources in securi=
ty team. As I said we are struggling to handle the current load. Things mig=
ht improve in 2027 but that&#39;s still not clear if we get some extra reso=
urces. If we do, we would more likely want to spend it on the current backl=
og and improve other things though as there is a lot to do. So I just don&#=
39;t think something like this is realistic.</div><div><br></div><div>Kind =
regards,</div><div><br></div><div>Jakub</div></div></div>

--0000000000002ed916064d12a93e--