PHP Architect logo

Want to check out an issue? Sign up to receive a special offer.

The PHP Podcast 2026.04.02

🎙️ The PHP Podcast – Special Episode

April 2, 2026 | Guest Hosts: Joe Ferguson & Sara Golemon

In this special episode, Joe Ferguson and Sara Golemon step in as guest hosts while Eric recovers from illness and John is busy in Discord. They cover AI tool challenges, PHP Foundation updates, Unicode adventures, infrastructure work, and the eternal debate about when (and when not) to use AI.

🎯 Episode Highlights

  • 🤖 Claude Code Drama: 10-20x token usage bug from cache misses – users burning through quotas in 15 minutes
  • 🔓 Claude Source Leak: CLI source code leaked via JavaScript map file, leading to “code laundering” across languages
  • 📉 GitHub Reliability: Falling from “four nines” to 89.99% during Azure migration
  • 🏢 PHP Foundation News: Elizabeth Barron joins as Executive Director, Matt Stauffer joins board
  • 🗳️ Release Manager Elections: Joe running for PHP 8.6 RM (3rd attempt!), discussion of “hands-on” vs “hands-off” terminology
  • 🔤 Unicode Victory: Joe fixes emoji support on people.php.net (UTF-8 → UTF-8MB4 migration)
  • 🏗️ Infrastructure Work: Joe helping Derek with Ansible playbooks, running 8 Debian VMs on Proxmox
  • 📦 Pie Progress: James building Pickle replacement integrated with Composer
  • ⚠️ NPM Axios Attack: Supply chain compromise caught in under 3 hours
  • 💬 Copilot Controversy: Now labeled “entertainment purposes only” + injecting ads into PR reviews
  • 😊 PHP Happiness: Celebrating what makes modern PHP great
  • 🤝 Contributing to PHP: How to get started with php-web, docs, and source code

🎙️ Guest Hosts

Joe Ferguson

Senior Developer at PHP Architect

Running for PHP 8.6 Release Manager (hands-on position, third attempt). Working on PHP infrastructure with Derek using Ansible and Proxmox. Fixed emoji Unicode support on people.php.net.

@joepferguson

Sara Golemon

PHP Core Developer

PHP Foundation board member. Former 7.x release manager. PHP Appalachia organizer. Moving out of the country soon. Deep expertise in Unicode, internals, and language design. Vocal advocate for balanced AI approaches.

@pollita@phpc.social

🤖 AI Discussion: Finding the Balance

The hosts took a refreshingly nuanced approach to AI tooling:

  • What Works: AI-enhanced search (Gemini), appropriate code assistance
  • What Doesn’t: Treating AI as infallible, forced integration everywhere, security vulnerabilities from blindly accepting suggestions
  • The Fear: Joe’s honest concern about being replaced by “a trench coat full of three Claude bots”
  • The Reality: AI is a tool that has appropriate uses – if people would just use it appropriately
  • The Quote: “Code laundering” – rewriting leaked source code through AI to create “new” implementations

🔤 Joe’s Unicode Adventure

A deep dive into database character sets, triggered by trying to add emojis to his PHP.net profile:

  • Some emojis worked (⚽❤️), others failed (🏎️🏒)
  • Root cause: Database field was UTF-8 (3-byte max), needed UTF-8MB4 (4-byte support)
  • The fix: Simple ALTER TABLE command updating character set
  • The impact: Now supports high-numbered emojis, CJK characters, and yes… ancient Egyptian hieroglyphics
  • Sara’s insight: “I have way too much of Unicode in my head because of PHP 6”

🗳️ PHP 8.6 Release Manager Elections

Joe is running for release manager (third attempt) and discussed the evolving terminology:

  • Old Terms: “Rookie” and “Veteran” – implied experience requirements
  • Proposed Terms: “Hands-on” and “Hands-off” – describes involvement level
  • The Goal: Hands-on RMs do week-by-week work, hands-off provides oversight/mentoring
  • Current Field: 7-8 candidates for hands-on positions
  • Joe’s Odds: Close to tied for second position
  • The Endorsement: “Yo Joe!” (because yelling is half the battle)

🏗️ Infrastructure & Contributing

Joe’s Infrastructure Work:

  • Helping Derek manage PHP infrastructure via Ansible
  • Running 8 Debian VMs locally on Proxmox to match production
  • Backfilling playbooks for existing servers
  • Addressing bus factor concerns (Derek as single point of failure)

How to Contribute to PHP:

  • Start at github.com/php README for repo overview
  • php-web: Website code, can run with built-in PHP server via router.php
  • php-src: Core engine – surprisingly approachable for learning C
  • Documentation: 800+ contributors, mostly docs (smaller blast radius)
  • Infrastructure: Now using Ansible, moving away from custom solutions
  • Principle of least privilege: Access scoped to what you need

🏢 PHP Foundation Updates

  • Elizabeth Barron: New Executive Director – plugged into open source funding, Chaos experience, PHP Appalachia organizer roots
  • Matt Stauffer: Joined board for broader perspective distribution
  • James Titcumb: Working hard on Pi (Pickle replacement) with Composer integration
  • Pi Progress: Works with Composer, no need for separate package management

🔐 Security Stories

NPM Axios Attack:

  • Maintainer account compromised, malware published
  • Caught and patched in under 3 hours
  • Massive blast radius potential (widely-used HTTP client)
  • Question raised: Why doesn’t this happen more in PHP?

PHP’s Git Server Compromise (2021):

  • Vulnerability in GitDev web view allowed commits as Rasmus and Nikita
  • Obvious exploit code caught quickly
  • Response: Migrated to GitHub, introduced code review processes
  • Transparency: Public video explaining what happened and remediation

😊 PHP Happiness

A counterpoint to “PHP Sadness” – celebrating what’s great about modern PHP:

  • Enums, types, attributes, match expressions, named arguments
  • Sara’s take: PHP 3, 4, and 5 were already pretty awesome
  • Joe’s journey: Perl → PHP 5 (skipping PHP 4 pain)
  • The evolution: Each version has been a meaningful improvement
  • The vibe: Don’t forget that PHP has always been good at what it does

🎤 Memorable Quotes

“Code laundering” – describing AI rewriting leaked source code into other languages

“GitHub’s got their nines back – they just start with an eight now” – on 89.99% uptime

“I’m worried a trench coat full of three Claude bots is going to replace me” – Joe on AI anxiety

“I have way too much of Unicode in my head because of PHP 6” – Sara

“This podcast is not brought to you by any LLM ever”

📅 Upcoming Events

  • php[tek] 2026 – May 19, Chicago
    • Joe: “My number one favorite conference”
    • Sara: “Would totally be there if I weren’t moving out of the country”
    • Also featuring JS[tek] track for JavaScript developers

📬 Connect & Hire

Looking to hire PHP developers? Email support@phparch.com – Joe and the team are available for consulting, infrastructure work, Ansible playbooks, and code review.

🔗 Resources Mentioned

Partner

This podcast is made a little better thanks to our partners

Displace

 

Infrastructure Management, Simplified
Automate Kubernetes deployments across any cloud provider or bare metal with a single command. Deploy, manage, and scale your infrastructure with ease.
https://displace.tech/

 

 

PHPScore

Put Your Technical Debt on Autopay with PHPScore

 

CodeRabbit
CodeRabbit - cut code review time & bugs in half Instantly.

 

Cut code review time & bugs in half instantly with CodeRabbit.

 

Music Provided by Epidemic Sound

https://www.epidemicsound.com/

The PHP Podcast
The Official Podcast of PHP Architect
Subscribe at phparch.com

 

Why PHP in 2026

Listen

Podcast (episodes): Play in new window | Download | Subscribe

Transcript

Transcript

[03:17] Welcome to the official podcast of PHP Architect. Join us to listen to the latest news and tech talk from our conferences, the magazine, and wider PHP community.
[03:35] Y’all need to stop picking on Archie. Archie hasn’t done anything to you. Archie’s dumb. Hey, John. Hi, Eric. Long time no see. Yeah. Always giving me a hard time for not responding to you in Slack.
[04:14] Thank you.
[04:43] We’re in. Hack the planet!
[04:47] Welcome to this week’s PHP podcast. I’m Joe Ferguson, and with me this week is Sarah.
[04:57] You just said my name, so I don’t intend to do this.
[05:01] With me today is Joe. How about that? Yes, it’s both of us. Today, Eric was feeling a little bit under the weather, and John is busy doing something. I mean, John’s busy in Discord, so he couldn’t make the podcast either. So I was asked if I wanted to do the podcast and said, yeah, sure. And then Eric was like, oh, well, I’m going to reach out to Sarah, too. And I was like, oh, well, I’m definitely in now if Sarah’s going to be on it. Yeah. So here we are. This is the PHP podcast done by PHP Architect, who I work for. I have the little fancy shirt, too, just with a nice little elephant logo.
[05:36] If you are looking for an event to go to coming up in Chicago, we have PHP Tech. It is our yearly PHP conference. It is a fantastic event. You get to hang out with a bunch of PHP people in Chicago in May. So you can check that out at phptech.io. And we also have a partner with us that helps make the podcast happen, Displace, from a friend of the community. And we will talk more about them in a little bit. And I want to endorse that conference. I do not work for PHP Architect. You can tell because I’m not wearing a PHP art shirt. It’s actually from PHP Appalachia 20 years ago. And if you know, you know, but PHP Tech has always been my favorite conference. It is my number one favorite one to go to. And if I weren’t moving out of the country in about a week, I would totally be here. So we so we need to get Eric and John to do PHP Tech Appalachia is what I’m hearing. I i’m still waiting on the world is ready for that but i’m down php appellation
[06:37] yeah yeah that never happened because we don’t just.
[06:47] Yeah and i’ve already taken us off for all i’m sorry so how’s the week how has the week been since last week’s podcast which we were totally involved with oh we were totally there for Absolutely.
[06:59] So here at PHP Architect, we’ve been leveraging AI tools. Eric has talked a lot about them on this podcast. And one of the things that we kind of ran into that kind of made the news rounds a little bit, depending on how into specifically Cloud Code, apparently there was one verified bug in their client command or their console CLI. Tool that essentially just would cause a 10 to 20 X tokens just out of, out of nowhere, because you used a specific flag, like you re resumed your session and it would just automatically, they called it a cash miss is what was happening. So they were, they were just burning through all of your usage. People were complaining about the people who were on the super duper plans that were really expensive for saying that they were burning through their quota in like two hours. And, uh, some of our team members were burning through half of, uh, their session quota of four-hour session is usually what it is they were
[07:58] burning through their quota in like 15 minutes and it was doing regular stuff of course this is going to be the customer’s problem not.
[08:06] Yeah oh no it can’t be the fault of people or the company is because claude writes his own code right claude writes his own code and apparently it’s infallible right absolutely sure because claude reviewed it right, Mm-hmm. Yeah. Claude was fine. Yeah. Now, no matter how much of the AI Kool-Aid you drink or just absolutely completely refrain from, there’s a lot of discussion, and we’re not going to talk about AI the entire time. I promise. We have some other things to talk about. On the note of Claude, and because they actually did fix the usage thing, I don’t know if our team members have seen any improvements. I was luckily not affected by it, but I also haven’t really used Claude a whole lot this week. But another thing, Claude being in the news, is they managed to leak their source code for the CLI tool via a JavaScript map file, which is pretty fantastic if you’re interested in the code.
[09:01] And one of the things that I saw happen almost instantly that a lot of other people noticed as well is people were running the Claude source code through Claude to make it rewrite it into other languages. is. And somebody named somebody on mastodon called this code laundering and i laughed out loud and then i got really sad because because that is what the ais have been doing for the past two years absolutely absolutely yeah for for sure so so yeah you hack onto us if you if you want to play with claude claude’s uh code cli source code you can go do that now and you can apparently pick your language as well so have try not to get your token stolen uh you don’t don’t run things as root from the internet people just be careful right i want to pick on claude too much claude’s had a bad week he has had a bad week needs to go see his artificial therapist or something because it’s been rough almost as bad as github falling out of the four
[10:00] nines right and and the reliability that’s that’s been another thing that i’ve i’ve actually been hit with this past week was uh github availability and trying to like edit prs and edit comments and prs was actually really kind of tough because they were just having issues and somebody in one of the discords i’m in posted earlier that they’ve they’ve fallen out of all the nines they’re now 89.99 whatever the reliables are well see they got their nines back they just start with an eight now right so it’s it’s fine it’s fine it’s nothing to worry about there’s still there’s still five nines in there yeah Yeah, somewhere. Somewhere. It’s just on the wrong side of the business. GitHub was never 100% reliability, let’s be fair. But GitHub had much better reliability. And so that we’re not crapping on Cloud all the time, maybe Copilot has something to do with that. It’s possible. I’m going to be a very old person shaking fists and yelling at Clouds because…
[10:59] My god nothing works and we were talking about this before the show starts why does nothing work anymore um in back in my day speaking of clouds the other thing that i think is contributing to github’s uh issues is at some point in the past three or four months they posted a thing saying look we’re going to be focused on migrating to azure so it read to me as a customer it read very much as we don’t expect many new features right we’re going to be doing this other big migration thing and i’m wondering if some of this is is not like pain points of them cutting over right and and trying to fire up the new infrastructure to replace the old infrastructure and then just having issues with that right i mean that’s kind of inevitable to happen like even in the best circumstance when you’ve got like some old graybeard who knows exactly how everything is supposed to work and and all of the little quirks you try
[11:53] to switch clouds you’re gonna run into little tiny things because there’s just stuff like but at the same time you also are maybe you’re going to say like oh this phase is going a little weird let’s roll it back so that we have good user experience while we figure out what went wrong and then try again as opposed to just sort of like charge through which which i feel like might be happening yeah absolutely i I mean. Everybody knows that, you know, giant migration plans always go exactly to plan and never have any hiccups or anything, especially with cloud providers. Yeah. Yeah. So how was your week since the last podcast? How was my week? Well, I got over my case of COVID. That was nice. That was nice. I did have to cancel one of the things I wanted to go and see the doctor for while I was here. It was, it evolved the camera and some uncomfortableness. And that’s something to say. So I’m happy to have canceled it. Yeah.
[12:57] Um and uh i just saw the ophthalmologist to check out my eyes doing all my medical stuff at once and um yeah still blind uh but now i’m more blind because my pupils are dilated so every light mode screen i look at is now blasting me with even more photons than they already were because my god just implement dark mode it’s not hard especially in this day and age. It really isn’t. It’s a little bit of CSS, right? How hard can it be? And I know I’m over stating. I appreciate the PHP’s theme being darker. That way it doesn’t matter. I think that’s what’s kept us from implementing a proper dark theme all this time because technically, yes, PHP doesn’t actually have a dark mode. Look in the mirror because I have a branch that is actually really close to being ready to publish. The problem is the code gem um there is highlight string is a function in php that will take php code and just add highlighting for you but it only highlights for
[14:00] one color palette and there is no way to configure it so i what i’ve got right now as well as a patch for internals to allow you to specify your own palette for what’s going to come out which would be nice and a general purpose thing for everybody but as i’m writing this i’m realizing you know what the right solution here says she just rewrite this entire thing in php because all it really is is call the lexer and you know step through the tokens and color them appropriately so like this this can be in the user space so at some point when i’m not literally moving across an ocean i will probably work on that or if anybody else wants to uh patch is always welcome for uh www.php.net. I recently was told that by another PHP as internal person, and I followed it up with a patch. But before we get to that, let’s… I was trying to give you a segue. I know, but before we do that, before I forget about it, I want to thank our
[14:56] partner for helping us make this podcast possible. Yes. Thank you to our partners over at Displace Technologies. Building PHP applications is your passion. Managing cloud infrastructure shouldn’t be your headache. Displace is your partner in cloud infrastructure orchestration, giving solo developers and small teams the tools and automation to deploy enterprise-grade Kubernetes clusters without the enterprise-grade complexity or cost. Their CLI tool screenlines everything from local development to fully managed cloud deployments on AWS, Azure, Google Cloud Platform, and more. Skip the steep learning curve of Docker, Kubernetes, and Terraform. Let their automation free you to focus on your core business without losing control of your infrastructure. Get started at displace.tech, that’s D-I-S-P-L-A-C-E dot T-E-C-H, and discover how the right tools can eliminate the need for a full DevOps team.
[15:59] Thanks, Displace, for supporting the podcast. As someone who does DevOps and would really not like to be replaced by a service, I’m a little conflicted with this. But Displace is fantastic. It’s from a great person in the community, Eric Mann. If you’ve ever met Eric at a conference, he is a fantastic person. And I wish I had access to Displace when I was managing Kubernetes clusters, because it would have helped me a lot, I’m sure. I was managing them the very hard way with Terraform and Ansible. I guess not a hard way but a complicated way in this day and age i would say eric man is the anti-ai he’s the cure to ai because he will think very carefully about all the code that he pushes and he’s not going to uh do do security vulnerabilities just because ai told him it was a good idea right yeah yeah just because claude was uh was was on one one day so i was Like, just echo raw user input straight to output. It’s fine. It’s fine.
[16:54] Yeah, totally fine. Fine. All right. So what we were alluding to was the segue that I totally dropped. You were talking about how you submitted a patch because I told you a patch is awesome. Yes. So I was doing PHP things on the PHP website, which by that I was trying to update my profile on the people.php.net site. Which you do from a site called main.php.net, as you do. So I went and I just, I am very boring and I just copy and paste the same string around my bio on like everywhere. So I just went to Mastodon, shout out to PHPC, our phpc.social on Mastodon. Grabbed my profile, copied it, and I threw it into the form on the main.php.net site. And I submitted the form and I went about my business. And then I got distracted. I went and looked at another tab or something. And then I eventually made my way back to the site And I got a blank page and I was like, that that’s weird the whole page was just blank so i viewed source on the
[17:55] page and in the in the code there was a uh failed sea surf check uh warning and i was like okay that’s weird so i started playing with it and then i realized oh i have emojis in my profile i have four of them i was like is it the emojis so i stripped everything out and put the four emojis and it was it would not save it kept throwing that same error so i and i laughed because of course this is like totally a me problem. This is not like a, this is not anybody else’s problem other than me trying to use fancy emojis. So then I started figuring out, okay, which emoji is it? So I have a football, a soccer ball, an ice hockey, a racing car, and a, I have something else that I’m blanking on my profile. And I just started putting, I put all four of them in there that failed. I put three of them in there that failed. I put two of them. Oh, it was a heart was the other one. So the heart and the soccer ball worked and it saved the database and everything was fine.
[18:48] I was like, Okay, that’s weird. So I went and pulled the repo down locally just to see if I could replicate it. And after tweaking some of the Docker Compose stuff to get it to work, I was able to not exactly replicate it because locally it said the record was updated. But then when I refreshed the page, it wasn’t updated. So I was very confused. So I wrote up a bug report and like not really intending for this to be like a serious thing. It’s just like I realize this is like my problem, but let me see if I can help figure this out. So I just mentioned it in Discord. And then I started working on the issue. And then Derek chimes in and is like, oh, that’s odd. And so sometime goes back and we go back and forth a little bit. And then ultimately it comes out to being a character set for the database. And it was only the user profile field on the database that was UTF-8, which won’t support any of the higher numbered emojis.
[19:45] I’m not sure if it’s the ASCII or what it is. And you can probably explain that difference better than I can. It’ll be the supplemental multilingual plane. Yeah. Right. So the solution was to make that table, do an alter on that table to make it the UTF-8 MB4. I may get that wrong, but update the character set. Yeah. And I did that locally, worked perfectly. I was like, oh, hey, I think this is the fix. So I committed the fix, shared the PR, and then Derek got around to looking at it, and somebody else from internals gave me feedback, which was helpful. So I updated the PR, and then Derek was like, I haven’t really done SQL in a while. I don’t know how to do this. I was like, oh, here’s the command I ran. And he, so he went and did it on the backup server and it ran fine. And then we had to change something. The coalition I think was, was wrong that I had given him. So he fixed that for the live server and then that worked and he did that.
[20:39] And then I went and did it and you can have higher order emojis or higher numbered emojis now on PHP.net. It was pretty cool. Yeah. Yeah. Yeah. I saw your diff and I saw, it’s just UTF-80, UTF-80 and before. And like, I understood what it was, but I was still annoyed by it because I don’t like when implementations, because there are lots of implementations that do this. They’ll take UTF-8, and UTF-8 will support the entire Unicode set. It will go all the way up to one million something to a point. If it’s actually UTF-8, a lot of them will say UTF-8, but actually be something else under the hood. And usually it is something that is restricted to just the basic multilingual plane which are the first 65 536 characters and some emojis are in that other emojis have been shoved way up into the four white range and that’s what the mb4 is multibank for so yeah yeah um this is this is my sequel isn’t it uh maria tv,
[21:40] So, well, for practical purposes, my sequel. Sorry, in my day, my sequel is my sequel. Yeah, some people split those hairs very on the line. So I try to be explicit. I thought my sequel’s default version of UTF-8 was actually Sezu-8 under the hood, CESU, which is a obnoxious and disgusting form of UTF-8, where you’ll take a code point, split it into UTF-16 surrogate pairs, and then run UTF-8 encoding on each of those. And so you wind up with up to six bytes to store a Unicode point, which is the worst option that there is out there.
[22:25] But yeah, good catch. That sounds like a really hard one to catch, honestly, because you have to look at these emojis and be like, well, what’s different about these? Why is this a problem? And Derek was the one who pointed it out, and it made sense to me, once he showed the math behind the characters, I guess it’s the Unicode. Once he showed the math, I was like, oh, of course it doesn’t support those because those numbers are too high. Yeah, the numbers are too high, yeah. Well, because again, a lot of implementations will just cover three byte UTF-8 because that’s enough for 90% of what you need. It covers every Western language. There’s a lot of CJK that’s not included in there. So you actually just fix things for a lot of Chinese, Japanese, Korean speakers. So well done. Cool. And if you want to get, I don’t know, ancient Egyptian in there, that might help fix that too. I don’t know if we have a translation for that. It’s been a while since I looked
[23:18] at the supported translations. I don’t think we have a documentation translation for that. It’s like literally like hieroglyphics.
[23:25] And there’s some naughty ones in there if you really want to have fun with your people’s page now.
[23:32] See, this is going to come back on me. I’m going to get in trouble for enabling other people to do naughty things in their profiles. I have way too much of Unicode in my head because of PHP 6. More things about Unicode in there than should be in there, honestly.
[23:50] Mike is wondering if he’s tuned into the wrong podcast. You’ve tuned into the right podcast. You’re exactly where you need to be, Mike. The thing is, those comments are delayed relative to our conversations, so he hasn’t even gotten to the hieroglyphics yet.
[24:06] Right.
[24:09] So the other thing that i’ve been poking around with speaking of internals and php stuff uh the other thing i’ve been poking around with or or working on getting to the point where i can start poking around with it is the php infrastructure uh which i’ve known for a while uh derek does a lot of the direct management and day-to-day stuff and i’ve reached out to to offer him uh help where i can because i love tinkering with servers and i’m pretty decent with ansible which is what he’s been using to backfill playbooks for the existing infrastructure. And he recently updated the repo, and I’ve been playing with that. I actually took one of my old gaming PCs through a fresh blank SSD and installed Proxmox so I can start spinning up Debian VMs. So I now have eight Debian VMs that match what is running in production PHP that’s backed by the playbooks. There’s more than that, because I think there’s three or four servers,
[24:58] like the mail server and a couple of other servers that he just hasn’t added to Ansible yet. So I’m working on being able to run all those playbooks locally so I can help him manage and contribute some of that stuff and modernize it if it needs it and just try to pitch in to PHP where I think I can because I’m certainly not going to write any C that anybody wants to accept anytime soon. That is honestly some really important work because I’m not going to say Derek has a single point of failure right now, but in terms of bus factor, it’s on the same level as if we completely lost, well, I was going to say if we completely lost Dimitri, but we have lost Dimitri. It’s a bad example um if we had lost demetri three years ago um when you know before we were like getting the foundation in place and and getting better processes for getting different people uh trained out like basically joe’s post about the
[25:53] bus factor still applies to systems because when something goes wrong with the systems that’s pretty much derek fixing it and there are other people with the keys but like not everybody knows it yeah i think last week or two weeks ago there was an issue with the cdn and only people not in europe were having issues getting to php.net and and derek was the one who had to debug that and he has he was the one that had to reach out to the cdn provider to to debug so yeah it’s been interesting to get some of those insights and uh and see what what is actually going on behind the scenes because there’s there’s a ton that people don’t recognize i’m sure i’m sure there’s more than even what i’ve seen i mean i I think most people can probably guess at a lot of pieces of it because, you know, even those of us who specialize in just software dev, like, we have visibility in the DevOps. We know what goes into, like, making these services actually run because when
[26:43] they break, they call us in to fix it.
[26:46] Um so like i i think a lot of people can at least guess at what’s what goes into that and, i think like at least 90 of what we use is already in like open source like repos you can go and find the scripts if you really want to which i’m sure you’ve just done recently setting up all of your vms um but uh but sometimes it is kind of staggering to realize like how many pieces are in there because it’s more than just the website and it’s more than just the engine source code. For sure. The other thing, well, one thing, speaking about buzz factors, I think where PHP does buzz factor really well is release managers, especially since I think the process got overhauled around 8 or 8.1, where we started doing the 3. Was it earlier than that? Was it 7? It was in the 7 series, yeah. Okay, yeah. So if you’re unfamiliar, the release managers for PHP 8.6, the upcoming release, the voting on who those release managers will be is open.
[27:46] I’m one of them. You can go vote for me. Several people have, and I appreciate that. So the release managers are the people who are in charge of the day-to-day release management of PHP, the source code, the interpreter, and several other things. So these are the people who are essentially in charge of making sure that we merge everything correctly. And the process, if you’re not familiar, is you have one veteran release manager every release and you have two rookie or new people. Mine, I’m running for one of the new people because I haven’t done it before. And then once you’ve done it, you can then run for a veteran position to where you oversee and you mentor people. And I think that is phenomenal to reduce that buzz factor. And not only that, but to encourage people to get involved. Even somebody like me who isn’t involved in the day-to-day internals discussions, but because I don’t really have much to contribute, but wants to help and wants
[28:41] to, and has spare CPU cycles to, to be able to go help and do these things. So it was, it’s pretty good experience, I think. Yeah, and it is continuing to evolve. And I realized what you were saying, like, I was thinking about this thing that had changed back in the seven series, but like it changed again early in eight. So you weren’t wrong. I was thinking of a different part of it. We kind of got into the habit of the rookie veteran cycle early into seven. Um and then we because there were just some really great rookie options that we really wanted to get in uh i think it was either seven four or or eight one i can’t remember which side of of my last release it was uh we decided you know let’s just have just three three people’s fine we can have uh one veteran and two rookies and then we’re training up try to some people and the rookies can focus on it and and the veteran can just go to make sure
[29:34] that things don’t follow up in the meantime or fill in as necessary. And what we’re doing right now, actually, I just found this out is, and this is kind of a minor thing, but I think it’s an important detail. We are going to be changing. Well, assuming everybody agrees to it, we’re going to be changing the names of these rather than rookie veteran, which kind of implies that somebody who knows what they’re doing should not be filling one of these active rookie slots. We’re going hands off, hands on. So hands off should be a a veteran somebody who’s done it before they’re there to make sure that everything’s working correctly but then hands-on that can be a rookie or it could be you know a veteran if just somebody’s like you know maybe somebody’s retired and they don’t want to uh be completely not doing anything they’ll run for one of the hands-on positions anyway um which i was going to do but there are a bunch of really good names in there already
[30:24] tons of people i think there’s seven or eight of us that are that have thrown their hat in the ring it’s pretty awesome to see that kind a turnout for… I want to say there’s at least seven for the hands-on, including you, yeah. I’m not a big fan of the hands-off, hands-on verbiage, and that may just be me. I think Ben Ramsey mentioned he wasn’t a fan of it as well. To me, it’s not really…
[30:50] To me, it comes off as a negative connotation, but I fully get that that may just be me and it may just be a me. I mean, it’s not in stone yet. We can figure out what color to paint the bike shed. Absolutely, right? Absolutely. And that’s all this is, is a bike shed painting exercise. Um but i to me i like the idea that we are no longer um.
[31:17] Focusing on the the people who are doing the actual week-by-week work um like necessarily seeming like they have to be working because they don’t have to and they never did but like it’s important to kind of just remind uh everyone when that phase comes along.
[31:37] Yeah i i’m i’m looking even if i don’t get it i’m looking forward to it um i think uh this podcast probably knows very well that eric famously uh ran for release manager and also did not get it uh i this is my third attempt and if i don’t get it this time i’m gonna i’ll keep trying and maybe i’ll track have you not done it once yet i’ve not done it at all how is that possible i keep because when i sign up other like there’s others five or six other awesome people because you are such a a thought leader that you like yeah my first choice my my first choice uh went to you so yes i appreciate that yeah um looking at it uh it looks like we’ve got a we’ve got a clear front runner for the first position and i think you’re kind of close to tied uh for second so we’ll see we’ll see how that turns yeah we’ll see what happens and and like i said if i If I don’t get it, I’m not going to be like Eric and get really mad about it. It’s okay.
[32:32] Oh, Eric’s not. Eric’s not even mad about it. Eric’s not mad about it. We just like to give him crap about it. Just because he took the week off out of protest and calling it man flu or whatever he did. Like, no, we understand. He’s not that mad. John still hasn’t. Except it then. Yeah.
[32:50] Um and yes when you cast a vote for joe to be your release manager you must shout yo joe because um yo-ing is half the battle yo-ing is half the battle right,
[33:04] so what uh i guess what recently has been going on other than um uh the i guess with the php foundation what’s been going on um i know that there’s been two big headlines they talked about, Elizabeth Barron joining and then they talked about Matt Stauffer, I think, last week joining the board. What else has been going on? Going on with the board? Sorry, going on with the foundation? Gosh. Um…
[33:33] Uh we’re we we’re we’re put me on the spot for this one sorry sorry i should i mean those are the big things honestly is welcoming that onto the board um we’ve had a committee position open for a little while um not that we’ve been like advertising for anything but like we need a better distribution of who is um kind of making the month-by-month decisions because we don’t want it to just be you know a single yes think tank so um matt brings in some other perspectives that aren’t currently present so that was an important thing um and then yeah elizabeth god, okay so the hunt for the executive director that felt exhausting to me um because there were there were definitely some really good candidates on the board um i’m not going to to name any specific names because that’s their choice if they want to like make that public or not but um i definitely.
[34:30] Definitely, yeah, the top five or so of that set was a really good set of options. But I’m happy with the choice for Elizabeth. She’s plugged into open source. She’s plugged into getting funding for open source and managing things with her work at Chaos. And, of course, she has her roots in PHP. Again, I’m wearing this shirt. She organized the original PHP Appalachia. 20 some years ago so you know she’s she’s not just some rando who’s popped in on the scene not that any of the others are randos they were all you know um well established and and good people um but yeah the the devs are um they’ve all got something to work on i know james is still like. Working really hard on Pi. I’m super excited for Pi. I think Pickle has been needing replacing for a really, really long time. And he’s made something really great with Pi that works with Composer well. Like, we don’t have to host our own package management things if the community is going to do it.
[35:37] Because the community is going to do a better job at it. Like, George has been running Packagist and Composer, or Nils, sorry, has been running Composer for so long and doing such a damn good job of it. Composer changed the game, man. Like, I was so happy when Composer became, like, a solid thing. So I’m more than happy to let extensions kind of live out in the world outside of PHP. I think that’s a good thing. Absolutely. Yeah, I helped James test a Mac binary that he was working on with Pi, because if you’re going to run some questionable code from the Internet and from somebody across the country or across the world, why not, James? I mean, it seems fine. We’ll just throw it at Claude or Copilot or something. They’ll make sure it’s fine. Right. Sure, Claude will be like, you’re absolutely correct. This is totally fine.
[36:28] But Claude, this appears to be a Linux binary. Oh, my mistake. You’re absolutely right. You’re absolutely right. Let me reformat that for you.
[36:36] Let me rewrite this binary i renamed it to dot exe it should work now, No, I think some of them would be at least reasonable enough to try to disassemble them first and then fail spectacularly at that is what would be by guess. But yes. Rename this to the Crapping on AI podcast.
[36:56] This podcast is not brought to you by any LLM ever.
[37:01] Eric, John, sorry that you’re not going to get that sweet Microsoft sponsor money for Copilot endorsements. Did you see where people pointed out that the co-pilot terms have changed recently and there’s now a very big, bold statement that essentially says co-pilot is for entertainment purposes only?
[37:21] So you’re not supposed to do anything with co-pilot in production? It’s entertainment only? Oh, sick own burn. Oh, my God. I was like, wow, that’s a choice. I mean, you know what? Honestly you know if and maybe that’s what they’re finding out.
[37:47] They can’t they can’t trust it yeah I personally have found AIs to be incredibly entertaining over the years yes,
[37:57] The other Copilot thing that I saw recently was they started injecting ads into PRs that Copilot reviewed. The very last line of the review that Copilot would do would be a, come visit this URL, sign up for this service and use Copilot. And somebody did a GitHub search because GitHub search is usually really good, right? They searched for that string and it was just thousands of PRs that were just adding this on there. And i saw something supposedly they were supposedly that was going to stop and microsoft was going to stop doing that because of how prolific and how much pushback there was for that which honestly i’m i’m happy about because that’s what people that’s what companies need to do they need to listen to their users especially when it comes to this ai stuff because it’s not the right tool for all the jobs which is what all of the tech bros and ai companies are trying to push on you It is a tool if you want to use it.
[38:52] My personal issue with it, all the issues aside, I’m kind of terrified that if I don’t learn how to use it or work with it, that I’m going to be replaced. I’ve told Eric and John before, I’m worried that, you know, a trench coat full of three clawed bots is going to replace me. Luckily, I do a— Sorry, go ahead. I was just going to say, I mean, you’re not wrong. As much as I just absolutely dunk on AI all the time, the reality is it is a tool that has a place in the world. And if people were using it at an actual appropriate level where it’s like this is a good use of the technology, I think AI in search has been fantastic. I throw a plain language search query at Google, and Gemini usually gets me, maybe not always accurate results, but at least, you know, it’ll get me close enough that I can figure out what the answer is. I think that’s been a great use. But to what you said, yeah, right now, people are trying to throw it at every single thing.
[39:57] And the fact that you cannot run Windows 11 without AI being all up in your face is broken. And it’s not a good luck at all. I’ve managed to run Windows 11 without Copilot. and i’ve had to disable it three separate occasions so only three only three yeah so. Yeah it’s uh the so another a funny ai thing as you’re listening to the ai ai dunking podcast uh earlier it just came across my my my friend was playing a racing game he was playing he was driving a supra car and he made the statement of i wonder if these are real rear rear wheel or all-wheel drive cars and i just threw it into google i was like google were there any toyota Supras that were all-wheel drive. And Google said, typically, hypercars or supercars are all-wheel drive. It’s like, no, no, no, a Toyota Supra. And Google’s AI was like, no, no, no, you’re talking about a supercar, not a Supra. So it’s just like, so Google’s AI is just completely oblivious to the Toyota Supra.
[41:05] It got lost to its own autocorrect? Oh, my God. I don’t know. I think that’s just one of those things that the autocorrect is prioritized higher than the inference of the AI, maybe? I just thought it was comical. I’m so used to AI’s just being obsequious about like, oh, no, you’re right. The sky is definitely orange. Yeah. I completely agree with you. It’s actually kind of surprising to have it disagree with you. Yeah. It’s like, no, there’s no Toyota Supra. It’s only supercars. Right. It’s like, okay, Google, I guess your AI is right. Fine.
[41:48] Oh, man. Yeah, we could dunk on AI just all day long, man. Did we have other topics? We do have other topics. I actually have a journal question about more internal PHP stuff. So we talked about the infrastructure repo. We talked about the web. No, we did not talk about the infrastructure repo. We talked about your work with VMs. Oh, yes. We did not talk about the infrastructure repo. The infrastructure repo is a set of Ansible scripts, uh ansible playbooks that connect to the servers and perform tasks like configuring services and doing deployments and such that’s uh what i’m going to be tinkering with but there’s other applications out there there’s main.php.net there’s the php.net itself there’s a wiki as well and this is all php uh raw vanilla php and even in the contribution documentation on all these repos, it says very plainly, this is expected to run, if you’re contributing it, this is expected to run
[42:48] on vanilla PHP, please don’t use any extensions. And I get that. I guess my question is. When, you know, why is that, why are these applications, for lack of better word, why are they, why are they lagging behind compared to like modern PHP? I mean, even looking at Symfony, Laravel, the big names, why do those apps linger or not really linger, they’re maintained. There’s multiple questions in there and I’ll try to address each one. So, like, the first one is, like, why aren’t we using, like, frameworks or, like, you know, extra libraries to make these things? Because why write all the code again ourselves? The very simple answer to that is that from very early on, and this largely came from Rasmus, but I think a lot of us, like, very much agreed with this. It’s like, we don’t want to be seen to be endorsing any one framework. We don’t want to be seeing like, well, well, PHP nine uses, let’s say Zen framework one.
[43:49] So that’s clearly the best in the one we should be using. And we really, really don’t want to be saying that. We want to say like, okay, PHP is, it’s a turning complete language, do what you want in it. And if you want to go and grab a framework, somebody else go for it. That’s fine. But we’re going to tell you what you want to do because that’s not our place to do. And I still feel that way in terms of wanting to avoid showing favoritism. But at the same time, like the reality is we, there are some really great frameworks out there and I’m not going to name any of them right now, but there are some really great ones out there. And like, I wouldn’t lose any sleep if people were, um. You know, trying to champion, uh, and succeeding at putting a framework onto PHP out of that. Right. But it is also one that we need to be cautious about how we do it. Yeah. That’s an interesting angle. I, I hadn’t thought about that,
[44:44] but I think I agree with it. It’s perfectly valid to not, to not show favoritism. Yeah. Uh, kind of the second thing in there, which, which I kind of heard like hiding underneath it is like, well, why does the code seem to be getting kind of on the old side? Like why is it like okay fine we’re writing it ourselves why aren’t we updating it why aren’t we making it newer um my answer to that would be like god damn it i have been and the second answer is i need to channel some eric in there um.
[45:14] Commits are definitely going in that are that are modernizing which uh of the php code base and um, for a period of time the danger there is like okay we have all these different mirrors all over the world that we don’t even control because our mirror program used to be completely uh voluntary somebody would spin up a server they tell us about it we’re like okay we’ll point you know um pt.php.net at you because you’ve got a server in Portugal fine um that has changed now it’s all just a single site that’s controlled by us and then um mirrored by the cloud but um there was a long time where it’s like well we can’t use 7.0 code in this because there’s a bunch of 5x mirrors out there and it has to run in them so that would slow things down a bit and even now it’s i mean if it ain’t broke don’t fix it applies a lot of the time absolutely i i have gone through and updated uh a number of things especially in the 7x period where
[46:12] i was doing actually a lot of release management stuff i would go in and change things like what the download pages and stuff like that to to just make them. Easier easier to get updates about the new releases that were coming out um and occasionally some new bit of functionality would throw in there there’s lambdas in there there’s null coalesces in there there’s there’s various little bits of uh more modern stuff and i say this like, lambdas or null coalesce in modern but you know what i mean modern compared to where it was right um but um and i’m not saying this code is bad at all right i i that’s not my that’s not my yeah i don’t think it is honestly i think it’s pretty decent code yeah it’s simple it does what needs to yeah even debugging this unicode on into a code base that i have never looked at i was able to go in and find the the database class and in the src folder exactly where you’d expect
[47:05] it uh and it it made my heart floater a little bit where i saw a bunch of includes including hard path files i was like oh man i remember those days yeah uh oh yeah because we don’t use composer either, Well, I think there’s a Composer JSON in that project. I don’t know that all of those pages are using it. So I think it may be mid-migration or something. I saw Require and just kind of had a fond chuckle. You would have been working on main.php.net, right? Yes. Yeah, okay. I’m not as familiar with that code base. I had very little cause to do anything to the main website. Yeah, because you were trying to use four emojis in your profile. I have definitely put emojis in my profile um but apparently not the multivite ones so right um which by the way i want to mention uh eric put a comment much earlier in the chat somewhere uh where he was saying that uh apparently supplemental multi supplemental
[48:04] multilingual pain pain pain pain jesus sorry there are s&p code points that were working just fine like the cjk stuff um and it was something more specific about the emojis specifically which is surprising to me because the only thing about the emojis that might be in there are like the zero width combining but, like there’s no reason zero width combiners shouldn’t have worked based on the character set so i’m not we’ll have to get derek to explain to us exactly what the issue was there um, So if we wanted to encourage people to contribute to this, where would they start? If somebody’s like, I want to go work on some PHP sites.
[48:47] Actually, the first place you could start with that is actually just github.com slash PHP, not into a specific repo, but just the organization PHP. There’s actually a ReadMeMD on there that talks about a lot of the different repos that are under the PHP umbrella. Not all of them. We don’t go exhausted with it because you might as well just look at all available repos at that point. But the most common ones, like the repo for the website, the repo for the documentation, repo for the English translation, the actual source code repo, those are highlighted in there. And I mean again it is open source like go and take a look at it and go php-web is the website it is all php code like I think anyone watching this podcast should be able to just grab that you can actually just run the php built in web server because there is a I think it’s router.php on there that will just, serve up the php.net website from the built in web server as a single command
[49:44] and go and it’s in the read me somewhere So, like, getting that up and running. Shouldn’t, asterisk, be hard. And it’s not like you need a bunch of extensions either, right? No, you don’t need a bunch of extensions. There’s a couple, I think, mbstring and a few others that you do specifically need. But, like, if you wanted to work on that dark mode thing, don’t wait on my account. If you want to get that thing going, go for it. Like I said, the syntax highlighting you can do in user space. And I don’t even think it would be hard. So, like, work on it for all the pull requests uh the way php web is laid out uh once somebody with authority has said like this is clearly not malicious code they can push a button and you will get a spun up instance to show you how it actually gets served up and it’ll be you know some weird string dot whatever php something dot net um it won’t be php net it’ll be a.
[50:39] Yeah, that’s just working on any PHP project. And hopefully somebody is paying enough attention to get the review. There are a limited number of people reviewing it, but the ones that are are doing a really good job of it lately. We have gotten some really good folks, partly connected to the foundation, partly not, who are taking really good care of PHPNet these days. And that applies to all the repos, of course. Made up PHPNet is in there. PHP source, obviously, for the source code, you do need to know your way around C. But I will say this, if you’re thinking about learning C, the PHP source code is actually, in my opinion, a really good spot to do that.
[51:22] Because the actual act of running that, you know how to run PHP and do things within PHP. So look at the implementation of any user space function. Say you want to look at, oh, I don’t know, stertilower as an example. Literally look for the string strtolower in the codebase. Eventually you’ll find one that’s next to it. All caps, php underscore function, parentheses, strtolower. That is the implementation of the server load function. And we’ve got so many macros and so many plain language APIs in there that you can probably infer a lot of that just as somebody who has worked in a language that is ultimately a descendant of a common ancestor with C. Like, we forget sometimes how much common language we actually have within programming these days. It’s like how most European languages can trace their roots at least partially to the Romans because that has spread everywhere. It’s the same thing.
[52:23] The ancestor languages of PHP and C are one of those Roman-type languages that have just spread everywhere. And then occasionally you went into some Greek or German and things get confusing. But at least there’s no Pamayim Nicodosians in there anymore, right?
[52:41] Oh my God, Joe, if you don’t know I’m not recognized by my E-Nexus. I recognize it, but wasn’t there an RFC or I wasn’t sure how serious it was of removing it? I remember there always being a lot of talk about removing it because it quote unquote didn’t make sense. But if you knew, it was always this joke, right? It was imminently Googleable, yes. No, so yeah, no, that’s what I’m saying. We don’t have that anymore. I mean, technically we do. Canonically, the token is now T double colon. And that is what it will show up in Aaron’s just now. but we do have the constant for it. And so T-Pam-I-E-N-E-C-O-T-M is just an alias for T double colon. Nice. I was so worried that you didn’t even recognize the reference. No, I have been around that long.
[53:26] All right. So we’ve covered internals. We’ve covered the foundation. We’ve covered how to contribute, how you can start poking around at that. Let’s see. What else do we have to talk about? There was some interesting looking things. how about how about we we’ve been dunking on ai so much how about we talk about some php happiness some php happiness i yeah i see i saw this now eric did give us uh several topics to talk about in case we ran out of topics so i saw this one and just there’s a lot of php and there’s a lot of enus at the end and i i just don’t know how to say that safely, uh i’m i’m being careful just to say happiness and not try to make it yes.
[54:11] Yes yes uh there there there was um many years back uh a conference that had t-shirts that says enhance your um i thought that was rather unfortunate i i and i don’t love this particular url but i will take it um uh yes as uh oh you just that was you like yeah sorry i saw somebody throw the url out there um but yeah this is this is kind of just meant to be a a uh a counterpoint to php sadness uh which i think is completely fair and it’s it’s celebrating um with this what this person who posted it uh sees as things that are really good about the php language and i I don’t see anything to argue with. The only thing I would argue with on this is that it implies that PHP has only become great essentially since 5.5 and later, arguably even 7 and later because there’s very few 5.5 things in there. I actually specifically went looking for generators because I’m like, there are better generators.
[55:19] I’ll agree that these are all great things and I’m so glad we have them now and the language is better having them. But i i’m one of those people who think i thought php3 was pretty gosh darn awesome i thought php4 was a great improvement over php3 and php5 was just chef’s kiss by comparison because we absolutely language was getting really mature at that point um am i going to say that seven wasn’t an amazing step up no i’m not am i going to say that eight hasn’t been even better no i’m not going to say that either but. I i have all the php happiness is what i’m saying absolutely i i started i went from pearl to php5 and at the time i was still working on some stuff that was in php4 but most of the stuff was php5 so that was my entry into the language and just to look back and to think about how many people that are working on php today got to skip php5 for better for you know just because of when they found
[56:15] language and and i i know what you mean i’m still gonna bristle at the idea of like right yeah yes no but i get what you mean but but because nothing is so the the younger people the younger crowd that php has to compete with to onboard new developers they they want the sexy slick javascript stuff and php has come a long way absolutely yeah no i’m i got it and it has been so weird to be you know there for all of php’s like like growth well not all of it like there was i think php had been out for almost six years by the time i no no that was by the time i got involved in it php now for about two years by the time it started um but watching it grow has been really really nice and uh i may eat my hat when it comes to ai later because ai turns out to be really awesome. And we’re all just sitting on the bridge of the enterprise saying, come here, describe the nature of the universe and getting a reasonable answer.
[57:19] I just wish it wasn’t so polarizing within our community.
[57:23] Because it feels like there are people that I cannot talk to about AI because they are just that off-put by it. They’ll hear nothing of it. And I understand and I empathize with that. But I don’t know. I wish it wasn’t that way. I wish there weren’t so many other concerns about AI. But, yeah. I think there are people on the other side of that. People who are just all in on AI. Oh, yeah. And they are just ready for this to take over. And they’re like the sooner this can completely replace me as a developer better and uh you know which by the way and as a you know pinky commie you know uh red i will say i am all for nobody having to work in any job uh i just don’t think we’re there yet um yes so there are people on i i think on both sides of that going to the extremes almost like it’s a political thing There’s people going to be chance. And there’s definitely room for no answer approach. And that’s why I do want
[58:28] to say I have not, I don’t want to completely crap on AI because I definitely have seen places where it’s had really good use. I’m really in favor of it. I just, I wish we could come in, you know, moderate a little bit. Yeah. Yeah. For sure. So in other news, there was another NPM supply chain attack or hack, I guess, depending on how you how you want to talk about it or phrase it. But the NPM package Axios, which if my understanding is if you’re doing almost any fancy, any fancy requests and modern requests and response stuff in JavaScript, you’re going to use this package. Uh the main the maintainer was hacked or his account was compromised and that’s what that’s what the original that’s what led to uh bad actors getting access to the package being able to publish uh malware and then having a distribute i think the exposure time was something less than three hours i mean it was discovered that’s good it
[59:27] was discovered and patched really really quickly so to to everyone involved on npm side and the package maintainer getting access back that’s That’s one of those good things. And I don’t want to downplay this, but what I thought was interesting that came out of it was in our Discord, and I’m blanking on who it was, but they asked the question, why isn’t this happening more in PHP?
[59:49] I mean, it did happen pretty recently. Did it? Well, it feels like recently for me. A couple of years, I guess. Do you remember this one? I guess I’ve forgotten or blanked it out, but I don’t know. Thinking about it from an attacker standpoint, The only thing that I would guess is Axios is like a gold pot at the end of the rainbow for an attacker is in terms of blast radius and the people that are using that package, right? Being able to spread the malware and such, whereas a PHP package may not have the same blast radius. Maybe PHP isn’t appealing enough for an attacker, which… I guess I’m okay with. But at the same time, I feel like Package just does a really good job and Composer does a really good job of securing everything as best they can from their endpoint. But at the end of the day, it’s still up to me, Joe, the human, my responsibility to protect my keys and my credentials from being phished or leaked.
[01:00:49] And knock on wood, I’ve luckily haven’t had any major issues, but other people aren’t going to be as fortunate and maybe I’m going to not be as fortunate in the future. But it’s just one of those things that I thought was interesting on why we don’t see this more prolific in the PHP community.
[01:01:07] Yeah, I mean, I don’t want to put any anonymizer out there that kind of victim blames what happened with Axios. Like, sure, that sucks. And it’s not fun. And also, I do want to throw this out there. And I think I have found the right link for it. i’m going to post this into um discord right now starting to do that while you were talking i think it’s that one um and feel free to highlight that uh, I believe this is the video where, on this channel, we talked about the compromise in PHP’s Git server. This was back when we were running our own Git server, GitDev. Ah, right, okay.
[01:01:52] And it wasn’t that anyone’s credentials were compromised, but it is that some vulnerability, I think, in the web view to that Git server, there was some, like, zero-day or known exploit that we hadn’t patched yet, allowed them to basically put in commits. Initially, I think it was as Rasmus, and then their second commit, I think, was as Nikita. And it was super obvious in terms of what the exploit was. It was basically like, hey, if you pass in this query parameter, then just eval some code or something like that. It was really, really obvious and plain. But that stuff happens. And in that case, I would say that it was a degree of carelessness. We were running our own Git server and either not patching it correctly or not paying attention to it enough that somebody was able to compromise us in this way. Um fortunately it was found very quickly and like the logs um convinced between the logs and actually just manually reviewing the code convinced
[01:03:00] ourselves that like okay this is the extent of of the intrusion and we feel good about this um but uh i think the most important thing was actually that video because we went out and we said hey look stuff happened oops sorry right um here’s what we’re going to do about it. We’re going to stop running our own Git server. We’re going to let GitHub do this because it has five nines of reliability and we can.
[01:03:25] Those were the days. That’s called comedic callback, kids. Yeah.
[01:03:31] I mean, to my knowledge, GitHub is not getting compromised in the AOLI. So, yeah, I think the opportunity for the PHP Git repos to have been compromised was probably a lot higher in the past, not just because that Git server, but also because, you know, it was normal and commonplace for somebody to just commit something, push it directly. Now we at least have a code review process that doesn’t necessarily stop people from just pushing things without review, but it’s more of a less expected thing to happen than it was before. So I think that’s helping to protect us. And that is something you only really get from the scale of having a project with a lot of people involved. I don’t know Axios, but if it’s just a project meeting by one guy in Nebraska in his spare time, then you know maybe they don’t have the resources to have reviews for everything.
[01:04:29] Yeah. And there are a lot of people that have access to, or at least if you look at the people.php.net site, there are a ton of people with accounts there. So the ability for people to contribute, it’s really awesome that there’s so many people out there that have that ability. I i will say um the last time i looked the number was around 800 something is probably higher than that that’s probably over a thousand right now um i haven’t looked in a very long time um but i will say the majority of those um will tend to be documentation contributors um and yes it’s bad if bad documentation gets in no doubt but if this if the total of your access is to the um say Czech language translation, then that’s the blast radius for your, for your damage. So the, the number of people who have access to the PHP website, um, is much, much smaller than that. The internal source code, um, it’s smaller than docs, but it’s bigger than the website, you know?
[01:05:33] So it’s, it’s, we, we, we try to exercise principle of least privileges as we can. Um, But also a bus factor, right? You have to make sure people have access. And if somebody just disappears, somebody can pick up the position or the task, whatever they’re responsible for. Yeah. Yeah, but I think bus factory is the most important component to that there, yeah. And we have been actually, in recent years, trimming people out of that list. One person showed up recently, just kind of out of the blue, Ilya Alshinetsky was a contributor to PHP in the early, early days. He was in the project well before I was, so at least turn of the century. And he was really active for a long time and then he just kind of had other projects. He went off and did other things. Whatever people do that. I definitely had quiet periods myself. And yeah, he got taken out of the rights at some point, probably during the
[01:06:24] move to get out, maybe earlier. But he’s shown up again and he’s thrown up patches. And so, yeah, they’re going through the review process and he kind of doesn’t need direct access to commit yet. But if he does, like, you know, we know we can trust Ilya. He was a release manager in the 5 series. I think he did 5-2. So, you know, if he’s active again, it’s fine. But yeah, cutting people’s axes off because they’ve gone inactive is not a personal judgment. It’s just principle of release privileges. That’s security controls. Pretty basic. Yeah. So, there’s nothing wrong with that. Absolutely.
[01:07:06] So, yeah. Feel free, Axios guy. or, I don’t know, maintainer.
[01:07:16] And, yeah, it’s good they caught it.
[01:07:20] Anything else we want to cover before we take off i mean we’re getting pretty close to our time so i think we’ve done a good job here we covered this and this i need to give eric’s computer back.
[01:07:30] Um yeah yeah oh my god uh well i was gonna say we totally should have recorded uh uh him taking the stream back but uh right that wasn’t recording that was live yeah um you can tell it was live with my typing i i i will be honest i want to i want to give you props here because like that idea only got floated like what maybe two hours before we started streaming like you threw that fast dude like i’m impressed yeah i love it when the when the plan comes together, all right well thank you well thank you very much for joining me uh this has been the php podcast with my guest, Sarah Goldman. I’m Joe Ferguson. Please check out phptech.io to join us in Chicago for PHP Tech or JS Tech. If you are a JavaScript developer, we have a whole event track going on for you too. Also, if you’re looking to hire PHP developers, send an email to support at phparch.com. We’re hireable. You can hire me to work on your project and I’ll come in there
[01:08:33] and build your Ansible playbooks and look at your code. And that’s a thing. And he’ll use the right amount of AI. The right amount of AI, right. What even is that? All right. Thanks, everybody, for joining us. We’ll see you next time. And vote for Joe. And vote for me. Yes, please. Yes.
[01:08:50] This has been PHP Podcast, the official podcast of PHP Architect, the industry’s leading tech magazine and publisher focused on PHP and web development. Subscribe today at phparch.com to see what the leaders in the community and industry are talking about.
Air date April 2, 2026
Hosted by Joe Ferguson, Sara Golemon
Guest(s)

February 2026 Magazine Issue

Buy Issue $6Subscribe from $4.99
 

Our Partners

Collaborating with industry leaders to bring you the best PHP resources and expertise

Displace
Infrastructure Management, Simplified
https://displace.tech/
PHPScore
Put Your Technical Debt on Autopay
https://phpscore.com/

About us

Policies & legal

Online Store

Special sections

Copyright © 2002-2026 PHP Architect, LLC. — All amounts in USD