Sara Golemon @pollita@phpc.social

HYPE! php-8.1.0alpha1 tagged!

https://github.com/php/php-src/tree/php-8.1.0alpha1

Me: I'd like a hex table, please.

Google: Do you mean this random English village? https://en.wikipedia.org/wiki/Hextable

Me: I'd like an ascii table, please.

Ya know, I'mma be honest... Composer users follow a really nice, respectable upgrade cycle.

Y'all on it pretty sharp there... Even ya stragglers....

https://blog.packagist.com/php-versions-stats-2021-1-edition/

Reassembling my workspace in the brand new bedroom I've built out in my basement. The office managers have reported for duty and are watching over me intently.

What does this output (under PFA implementation)?

var_dump(?, 2)(?, 3)(?, 4, 5)(?, 6)(1);

https://3v4l.org/8kXCb/rfc

Discussing partial function application over the past week:

Email to security@: Did you guys know you have phpinfo output accessible on your websites?

Me: Yes. It's on purpose. We're an open source project and we believe in transparency.

Email (smugly): Hah! But you probably don't realize your entire git repo is visible!

Me: What, you mean these? <links to github where all php.net sites' sources live>

---

The first email is forgivable, even appreciation worthy, as it looks like a common vulnerability.

Once you've been told it's not though.... eh?

It's almost beautiful in a way... almost.

PHP: Don't try to write a clever regex to validate email addresses, the range of valid addresses is far far wider than you could possibly imagine. Just don't.

Also PHP: https://github.com/php/php-src/blob/master/ext/filter/logical_filters.c#L680

Trying to make an April Fool's joke about the git compromise and I just can't bring myself to do it. It's too soon, man.

Pay attention corporations. This is how you preserve trust in a situation where you're inevitably going to lose some. Just treat everyone involved like a fucking adult and take your slaps on the wrist.

We fucked up by trying to maintain out own infra without the resources to do it right. We admitted that mistake to ourselves first, then to the public, and we're acting to fix the underlying problems (including some that weren't an issue yet, but could become ones).

I feel like I need to do a video on this breach event.

A little on the breach itself, 'cause that's probably interesting, but mostly on the way it's disclosed and responded to.

We publicly announced pretty quickly by any measure and have been pretty transparent so far (more transparency coming soon) and the response has been mostly "Fuck that sucks, thanks for working to fix it" rather than "POOF THAT PHP IS TEH SUX". There's some of that, but preciously little.

Fuck, man. Not gonna lie. I'm shook. I just to curl up and lick my wounds awhile, but there's shit to do. Fuck.

This one even got my wife laughing out loud.

There's too much text to put it in the mouse over, so I've pasted it to gist for the screen reader inclined.
https://gist.github.com/sgolemon/a2f98484efac50d69a292ff40bc6e036

Just.... everything about this.

PHP internals devs: ** Discover funky internal behavior of a PHP userspace function.

Dev 1: Wait... what?
Dev 2: /facepalm
Dev 3: No, it really does do that.
Dev 1: So, an entirely typical PHP function then.

How to be an entitled asshole towards the the people who make the thing you make money off of for free: https://bugs.php.net/bug.php?id=80877

"They": There's no such thing as a bad idea.

The Internet: CHALLENGE ACCEPTED. https://externals.io/message/113504

As always, identities have been changed to protect the stupid.