On 3/15/26 09:51, Daniil Gentili wrote:
I don't understand the security part. Do you mean that people could report
security issues for those community branches? If so, then it's completely
unrealistic as we are already struggling with handling security issues for
the current branches.
I honestly do not consider seriously any argument based on "it's too much
load for maintainers", including around security (which is still a
responsibility of feature owners).
A feature that ships in PHP is the responsibility of the core
maintainers, regardless of who "owns" the feature. Ultimately, it all
comes down to trust, and if PHP ships an insecure feature, the core
maintainers can't shrug and point to the feature owners and say, "It's
not our fault."
PHP is one of the most used programming languages in the world.
The PHP foundation, and by proxy its sponsors, are actively paying php-src
maintainers in order to not just make PHP secure, but also improve it in
every way possible (unlike myself and Edmond, as we are both working as
unpaid volunteers, investing a huge amount of time to develop and push
major improvements to the language, for free).
I honestly do not believe that sponsors actually paying the php-src
maintainers would be against the introduction of genuinely useful, quality
of life improvements like async, generics, etc just on the basis that it
would be too much work for php-src maintainers.
One of the most used programming languages in the world is also one of
the most underfunded programming languages in the world. You're
overestimating donations to the PHP Foundation. This is why, in the
recent search for a new executive director, we emphasized the importance
of hiring someone who we think will be able to increase donations. I'm
really excited about the future of the foundation, and when it has a
stable pool of donors, maybe this conversation will be very different.
The finances for the PHP Foundation are public:
https://opencollective.com/phpfoundation#category-BUDGET
If you look at expenses paid for the past year compared to contributions
collected, you'll note the foundation has spent $100k more than it has
collected. This is possible due to some large one-time donations by
corporate sponsors, but it's not sustainable.
We can change this. Convince companies who use PHP to commit to
recurring donations. Once it has a sustainable revenue and is able to
hire more than 10 full-time and part-time developers, maybe it will be
able to fund projects like this.
Cheers,
Ben
