Il dom 15 mar 2026, 16:36 Jakub Zelenka <[email protected]> ha scritto: > On Sun, Mar 15, 2026 at 3:51 PM Daniil Gentili <[email protected]> > wrote: > >> >> >> I don't understand the security part. Do you mean that people could >>> report security issues for those community branches? If so, then it's >>> completely unrealistic as we are already struggling with handling security >>> issues for the current branches. >>> >> >> >> I honestly do not consider seriously any argument based on "it's too much >> load for maintainers", including around security (which is still a >> responsibility of feature owners). >> >> > Except feature owners won't be able do any triaging, security impact > analysis (deciding whether it's a security issue - this is done by the > security team), allocating CVE's, test the patches in our security repo, do > the security release and publishing / updating all advisories. And I'm not > even considering extra reporting will be required by CRA. So I think you > might be underestimating the amount of work for handling security issues. >
I do not underestimate it, I simply do not consider it to be a problem, given the context of PHP needing a LOT of new features in order to compete with modern languages. Userland has been pollyfilling them left and right (static analysis, amphp), but this is not the way forward. A serious discussion needs to be done around a simple question. Does internals want to keep PHP mostly as-is, in de facto maintainance mode (just security fixes, no expensive major features) to reduce the workload on maintainers, and slowly creep into irrelevance? Because this is, put bluntly, what is being proposed. >
