[RFC] php-community: a faster-moving, community-driven PHP.

My understanding is that
a) this creates a fork of PHP in the sense that a separate version has to be maintained
b) you assume the same core developers will be in charge of the what I call "stable" and the "community" version of PHP

Is that correct?
This makes me worried about the additional burden on the core maintainers.

Yes, this is mostly correct: however note that the maintenance burden of feature extensions will lay squarely on the feature maintainers/authors, listed in the designed document of merged community RFCs.

Developers outside of the feature maintainers should only need to touch feature extension code when introducing breaking changes to extension APIs, like is already the case now for extensions.

This is actually very close to the approach used by linux: drivers are owned and maintained each by their own maintainers: non-maintainers need to touch driver code only when authoring breaking changes to inner Linux APIs which affect drivers.

as well as compatibility issues for package maintainers ("this library is only guaranteed to work with php-community-yyyy1-mm1-dd1 to php-community-yyyy2-mm2-dd2 but not the base php" or vice versa).

It is for precisely this reason that all feature extensions are versioned (possibly with multiple versions of a single extension shipping in a single php-community release), and full information about available versions is exposed through the PhpFeatures class, in a format matching Composer JSON repositories.

Package maintainers are expected to rely on specific versions of features (feature-performance:^2), not on specific releases of php-community.

I initially even considered not exposing the current php-community version at all to userland, exposing just the stable php version it is based on, but then decided against it as there is still a small amount of non-feature extension scaffolding code unique to php-community, which may have bugs, which may require versioning (i.e. a bug the PhpFeature class itself).

Thinking about it some more, PhpFeature and scaffolding code may itself be exposed as a versioned, always-enabled php-community feature extension, so now that I think about it, exposing the current php-community version is even more useless, but I’d still leave it exposed even if just for PR reasons.

Another thing I am a bit confused about is the inclusion of sandboxing as part of this RFC: Is this really an integral part of the community version? And while we're at it: As long as the community version allows for PECL/PIE/whatever extensions then the sandboxing could be broken by those extensions, so this can lead to a false sense of security / needs auditing of all extensions included in a version. That's why I'm wary of including it as a secondary feature, it feels a bit tacked on to me for a security topic.

Sandboxing is expected to cover only features offered by mainline PHP, php-community and all extensions and feature extensions shipping with PHP and php-community, not normal extensions installed separately (though normal extensions may choose to opt-in and respect sandboxing levels as well, if they wish).

Sandboxing is indeed somewhat a separate matter from php-community, and can in fact be fully defined by a separate (community or normal) RFC. However, it is absolutely mandatory for the implementation of the main goal of php-community: fast adoption of new features by the entire PHP community, especially shared hosts, which require sandboxing by definition, and cannot be expected to look through the list of changes in all feature extensions bundled in all of the monthly releases of php-community.

In fact, IMO one of the reasons why shared hosts often lag behind PHP versions is the (small, but non-negligible) cost of searching and patching sandbox escape hatches introduced by new PHP versions, so sandboxing, if merged in mainline PHP, may also speed up adoption of even normal PHP upgrades.

Regards,
Daniil Gentili.

Submitting for discussion the php-community RFC, for a faster-moving,
community-driven PHP: https://wiki.php.net/rfc/php-community

I understand and appreciate your desire to accelerate the development
speed of PHP. However, this proposal would put a completely
unrealistic burden on php-src maintainers.

By design, it would become very easy to add new features to the
community branch. However, code isn't merged and forgotten; it
requires continued maintenance. Features interact, bugs need to be
fixed, code will diverge from release branches and require conflict
resolution, development of features through PRs would still require
reviews by maintainers, etc. The additional effort to keep all of this
working correctly for underspecified and questionable features would
be immense.

As mentioned in the RFC and earlier in the thread, the burden of
maintaining feature extensions will lay exclusively on the owners of the
community RFCs, and any other maintainers appointed by them.

Features and bug fixes for feature extensions will NOT be a responsibility
of php-src maintainers.
This also includes reviews on feature extension code, which will be a
exclusive responsibility of the owners of said features.

In other words, feature extensions are "guests" allowed into the
php-community branch, and are developed and maintained exclusively by their
owners just as if they were a standalone extension.

Of course, a more detailed review on behalf of php-src maintainers is still
preferable for the initial addition PR, but it is not required (even if
obviously still allowed) for subsequent PRs.

There's no real veto for php-src maintainers, a single internals
member can overrule the "veto" mentioned in the RFC.

No, that is not correct, a single internals member cannot overrule a veto
made by all remaining internals members.

Only 50%+1 internals members put together can overrule a veto made by the
remaining half.

If a problematic

feature is accepted, it must be supported for at least 6 months,

By the feature owner, not php-src maintainers (again, like with Linux).

further burden falls on php-src maintainers to propose the removal of

the problematic feature, and it might not even be removed unless:

Adoption is negligible, as evidenced by Packagist statistics.

To be honest, this is not all too different from the current state of PHP:
there is a large amount of extension code in core which are only there
because it was added a long time ago to cover a specific usecase, and is
still there even if technology has moved on and that feature is no longer
in use by the majority of the PHP userbase (thinking about legacy db
drivers).

In php-community, actual, real adoption statistics will be available
through packagist, making removal actually a lot easier.

I think this development model works much better with authoritative
working groups or a benevolent dictator, along with a coherent
roadmap. And crucially, failed ideas would be removed before this
community edition becomes a cemetery of failed ideas.

I partially agree, and partially disagree.

Go indeed does have a few benevolent dictators that get the final words in
case the various committees cannot find an agreement: this has worked out
mostly well for them, but unlike processes, a benevolent dictator is not
something that can be easily copied.

I personally cannot think of a single person that can be entrusted with the
role of a benevolent dictator for PHP.

On the contrary, I believe that the current status quo of PHP is "a bunch
of dictators with largely varying opinions" is actually a good thing,
because internals members fight it out in full transparency, in a public
mailing list, presenting a variety of viewpoints and arguments.

The only missing thing, which is the main reason why I made this RFC, is
real adoption data and feedback from the community that can be used to
empower or defeat viewpoints during the public internals argument.

The definition of "failed ideas" should not be up to any single internals
member to decide, it should be up to the actual users, who actually get to
use the language every day.

Regards,
Daniil Gentili.

Hello!

However, this proposal would put a completely unrealistic burden on php-src maintainers.

It seems to me this is an organizational problem that certainly has a
good solution.
In my company we also use something similar.
In practice it does not require that much effort. Moreover, right now
I am doing essentially the same thing for the TrueAsync project:

• the php-src code is updated
• tests are run
• if the tests pass, the code proceeds further

I am doing this manually, although the process could be automated.
TrueAsync currently has about 18,000+ lines of changes in PHP-SRC.
Over these six months my personal attention was required only 2–3
times. I can confirm a similar experience with other projects as well.
A large number of different solutions can be devised here, both at the
level of flow and rules, and at the level of technical approaches. So
yes, it is a problem.
But it is a problem that has a solution.

There's no real veto for php-src maintainers,
This question is more complex. I personally prefer the models used by
Go and Python, which rely on consensus rather than voting. I would
only add a long path of iterative development, where a feature reaches
users at an early stage. Releasing a feature early is what provides
quality guarantees, something that is well confirmed by modern IT
practice.
Building a quality product using the scheme “first we design an RFC
here → then nobody can actually implement it” has historically not
worked well. Companies spent millions of dollars on this approach in
the 1960s–70s, and the percentage of successful projects built this
way was extremely small.

This applies not only to the async project. Generics and most
moderately complex features are in the same boat.

I honestly think this would be catastrophic.
Not impossible. Although using statistics and real-world usage to
evaluate features is definitely useful. The question is how to use it
most effectively.
I think this requires some thought.

Best regards, Ed

Am 15.03.2026 um 11:33 schrieb Rowan Tommins [IMSoP] imsop.php@rwec.co.uk:

A feature is eligible for removal only if both of the following conditions are met:

• It has no active maintainer listed in the accepted community RFC design document.
• Adoption is negligible, as evidenced by Packagist statistics.

This feels incompatible with the rest of the process. If features are easy to propose, release, and iterate, it should be just as easy to mark them abandoned or obsolete. Otherwise, an interesting but flawed feature has to be maintained forever even if its author loses interest - and who is going to do that maintenance?

If the intention of these features is to be experimental, perhaps every feature version could have a fixed lifetime. Users know that they can't rely on it long-term, but if it's popular it will hopefully make it into a stable release of PHP.

I was thinking along the same lines but it also made me wonder: Who would target such an unstable community version for production?
I know that I'd think more than twice before relying on any feature which might disappear or change again soon(ish).

php-community will always be based on the latest stable PHP release

Who will be responsible for merging changes made to "feature extensions" back to master, and stabilising the first community release after a new stable release?

What about the other way around: It is assumed that the extension maintainers fix conflicts with changes in the stable php release, right?
As an extension maintainer and hence responsible I'd be worried about this, especially as changes to stable could be completely incompatible with my extension. Which could hurt users of my extension and therefore myself.

Regards,

• Chris

For the first time, official binaries and packages will be provided for all major Linux distros for php-community releases on php.net

Who is going to create and maintain these packages? Who decides which distros, which versions, etc? Like sandboxing, this could fill an RFC on its own.

Initially me as the author of the RFC, then php-src maintainers.
Splitting up this RFC into sub-RFCs is not an issue to me, but I would prefer to get a general positive consensus before spending more time on actual implementation.

Multiple versions of the same feature may be offered at the same time in a single php-community release

How will this work, code-wise? Are these versions actually separate implementations side by side, or limited to changes that can be represented with feature flags?

What is the minimum lifetime and lifecycle of these versions? Can a version be retired early if it has an unsolvable stability or security issue?

Clarified that this was mainly meant for removal/deprecation feature extensions.

The exact lifecycle is explicitly not defined to allow for more flexibility, but it can have emergency yanks for security issues, just like for all extensions.

internals members through GitHub 👍 = Accept, 👎 = Reject, 👀 = Abstain reactions on the issue using their GitHub accounts,

I don't think we have any suitable definition of "internals members" that can apply here. Do you mean people with commit access to the php-src repo? Or are you hoping to cross-check GitHub users against main.php.net accounts (as used by the current voting widget) somehow?

By internals members I mean users with current voting rights, who will provide their GitHub nicknames.

A feature is eligible for removal only if both of the following conditions are met:

• It has no active maintainer listed in the accepted community RFC design document.
• Adoption is negligible, as evidenced by Packagist statistics.

This feels incompatible with the rest of the process. If features are easy to propose, release, and iterate, it should be just as easy to mark them abandoned or obsolete. Otherwise, an interesting but flawed feature has to be maintained forever even if its author loses interest - and who is going to do that maintenance?

If the intention of these features is to be experimental, perhaps every feature version could have a fixed lifetime. Users know that they can't rely on it long-term, but if it's popular it will hopefully make it into a stable release of PHP.

The point here is that users MUST be able to rely on feature extensions, including in the long-term: this is the reason for the stringent removal requirements.

php-community will always be based on the latest stable PHP release

Who will be responsible for merging changes made to "feature extensions" back to master, and stabilising the first community release after a new stable release?

The feature owners handle all changes to feature extensions.

Normal PHP RMs handle merging stable PHP into the community branch.

Community releases are “handled” by the same release managers of the latest stable PHP release, however the release process will be significantly automated, compared to the current manual release process

Is there something that makes this automation easier for community releases than regular ones? Or is automaton of the existing process something that needs to be done before we can consider this RFC?

It can be applied to regular ones as well, but it was added mainly to work around the fact that normal PHP already has third-party distro packaging, while php-community will not, unless it is provided from the start by php.net http://php.net/ directly.

Wait for the CI status of the new branch to become green

If there are failing tests in a particular feature when it's time to tag a community release, what happens? Does the release get delayed until the maintainer of that feature fixes it?

Feature maintainers cannot merge a failing PR, just like with all other php-src PRs.

php-community will live on a new community branch of php-src

Who will be responsible for the stability of this branch? This is really important, because you're targeting this concept at shared hosts, who want to know the software they're running is stable and secure.

The feature authors, backed by the judgement of internals members and php-src maintainers.

Why will somebody trust this branch containing a bunch of separately-maintained feature extensions any more than they would trust a repository of PIE extensions? If anything, it is far more dangerous, because the features aren't limited to the normal extension API.

Sandboxing plays the single most important rule in building trust.

Note: the first community RFC may indeed be the one regarding the choice of appropriate sandbox keys.

By definition, the sandbox mechanism needs to exist outside of the feature extension system, and be stable across community versions. As others have said, it's basically independent of this proposal, and should be its own RFC following the normal process.

Yes, absolutely.

In other replies on this thread you've emphasised the role of feature maintainers, but the RFC doesn't go into much detail about how that role will work. Will it be like maintaining a PIE extension, committing code directly, but in a directory of php-src? Or are other members of the community expected to review their code and merge it?

Clarified now, mainly it’s like maintaining a PIE extension committing code directly to php-src, with some supervision from php-src maintainers (mainly just a basic qualitychecks), crucially little impact on the actual API and design (which is the main way to reduce load on php-src maintainers).

I think this RFC is trying to do two conflicting things at once:

1. allow users to test far-reaching, experimental, changes to the language and engine
2. allow users to enable safe, stable, features without installing untrusted binaries

These are not conflicting things, they complement each other.

For problem 1, what we need is a way to get usable builds into the hands of users from experimental branches of the source. If CI tooling and release packaging can be automated enough, there's no reason to limit it to just one "community" branch.

Actually, the second php-community distro could theoretically be skipped altogether, shipping PhpFeatures into normal PHP, which would likely increase adoption even more.

For problem 2, we need stronger guarantees of stability, not weaker ones: better sandboxing so people trust extensions more, perhaps; or more feature flags within the existing release cycle.

Sandboxing is expected to cover this.

Regards,
Daniil Gentili.

Hello !

Le dimanche 15 mars 2026 à 13:44, Daniil Gentili daniil.gentili@gmail.com a écrit :

In other words, feature extensions are "guests" allowed into the php-community branch, or PIE extensions "pre-installed" into PHP, and are developed and maintained exclusively by their owners just as if they were a standalone extension, with some overview from php-src maintainers, yet maintaining independence on design/API choices (again, as if they were standalone extensions).

I'm following this thread and it make me think about the current extension landscape.

Maybe I'm a bit naive here but I think that this discussion can give more room to extension development:

• Extensions are outside of the php-src and maintained by their maintainers
• Extensions can interact with PHP core without adding work for the current maintainers
• No need to distribute specific PHP versions with available features.

Also I'm afraid that if we have a lot of different features in the progress that will create a crazy possible combination matrix. How to ensure everything behave correctly with all the others, or only some of them inside the community version?

So I don't understand why we need the php-community version if it contains "only preinstalled" extensions that users can experiment themselves. Maybe it can allow verifying adoption but that means users that will switch to the community version for a daily usage and it'll split the user base.

However I think deeper features and experiments are important. I think that extension can't completely change PHP behavior today, extensions might only have access to specific part of the engine lifecycle. Maybe it can be interesting to add more hooks so extensions can leverage deeper features and changes?

I think it can simplify this RFC by having a complete separation between the engine, stable and production ready and the experiments (which can stay extensions).

With PIE it's now easier to install extensions and also test them.

This way users can install extensions, tests features. An extension become really useful it can still be merged in the core like it was done in the past (maintainers can still maintain the core part).

Thanks
Stéphane

Stéphane Hulard
https://chstudio.fr

Clarified the following points: ideally, php-community releases will come with all major versions (i.e. ^1=1.1 + ^2=2.1 + ^3=3.0, not 1.0 + 1.1 + 2.0 + 2.1 + 3.0) of all feature extensions shipped together.

Security updates are provided to all versions currently shipping in php-community releases.

Removal of old major versions happens at the discretion of feature owners, based on adoption statistics.

I've seen adoption statistics mentioned a number of times in this thread
and a few times in the RFC, but I can't find anything that explains how
these statistics will be gathered and measured. Will this be determined
through community surveys? Will PHP need some kind of "phone home"
functionality to gather statistics about feature usage?

Cheers,
Ben

I don't understand the security part. Do you mean that people could report

security issues for those community branches? If so, then it's completely
unrealistic as we are already struggling with handling security issues for
the current branches.

I honestly do not consider seriously any argument based on "it's too much
load for maintainers", including around security (which is still a
responsibility of feature owners).

PHP is one of the most used programming languages in the world.

The PHP foundation, and by proxy its sponsors, are actively paying php-src
maintainers in order to not just make PHP secure, but also improve it in
every way possible (unlike myself and Edmond, as we are both working as
unpaid volunteers, investing a huge amount of time to develop and push
major improvements to the language, for free).

I honestly do not believe that sponsors actually paying the php-src
maintainers would be against the introduction of genuinely useful, quality
of life improvements like async, generics, etc just on the basis that it
would be too much work for php-src maintainers.

Yes, it would be more work.
Yes, PHP needs this to become a better language and compete with other
modern languages.