On Sun, Mar 15, 2026 at 4:46 PM Daniil Gentili <[email protected]> wrote:
> > > Il dom 15 mar 2026, 16:36 Jakub Zelenka <[email protected]> ha scritto: > >> On Sun, Mar 15, 2026 at 3:51 PM Daniil Gentili <[email protected]> >> wrote: >> >>> >>> >>> I don't understand the security part. Do you mean that people could >>>> report security issues for those community branches? If so, then it's >>>> completely unrealistic as we are already struggling with handling security >>>> issues for the current branches. >>>> >>> >>> >>> I honestly do not consider seriously any argument based on "it's too >>> much load for maintainers", including around security (which is still a >>> responsibility of feature owners). >>> >>> >> Except feature owners won't be able do any triaging, security impact >> analysis (deciding whether it's a security issue - this is done by the >> security team), allocating CVE's, test the patches in our security repo, do >> the security release and publishing / updating all advisories. And I'm not >> even considering extra reporting will be required by CRA. So I think you >> might be underestimating the amount of work for handling security issues. >> > > I do not underestimate it, I simply do not consider it to be a problem, > given the context of PHP needing a LOT of new features in order to compete > with modern languages. > But we just don't have those resources in security team. As I said we are struggling to handle the current load. Things might improve in 2027 but that's still not clear if we get some extra resources. If we do, we would more likely want to spend it on the current backlog and improve other things though as there is a lot to do. So I just don't think something like this is realistic. Kind regards, Jakub
