is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Announcing Release Managers for PHP 7.4 (Alpha: 6 Jun, GA: 21 Nov):

* Peter Kokot
* Derick Rethans

7.4 is expected to be the LAST branch of the PHP 7 series. Watch for PHP 8 in 2020. 

RT @nikita_ppv
New RFC for arrow functions / short closures:

Uses fn($x, $y) => $x * $y syntax and implicit by-value binding of variables. The RFC has a detailed discussion on why we're unlikely to get the more popular ($x, $y) => $x * $y syntax...

Happy Birthday to The Web!
Best Friends Forever!

Listen up, PHP devs-all,
I've got a brand new tarball.
It's a security release,
so I'm begging you please,
Download and hit make install.


RT @pear
10/10: The only community of users that likely interacted with a go-pear.phar file is someone that has PHP already and wanted to manually install PEAR themselves, and chose to manually download go-pear.phar to do it. Once PEAR is installed, go-pear.phar would not be used again.

RT @pear
9/10: If you manually installed PHP and it included a PEAR installation during its installation, it is hugely unlikely that go-pear.phar was pulled in for that task (it uses install-pear-nozlib.phar instead)... and even more unlikely that you would have used it on that system.

RT @pear
8/10: If you installed PEAR on your Linux system using your distribution's package management tool, it is hugely unlikely that go-pear.phar was included with it... and even more unlikely that you would have used it on that system.

RT @pear
7/10: If your system has PHP and PEAR preinstalled, it is hugely unlikely that go-pear.phar is on it... and even more unlikely that you would have used it on that system.

RT @pear
6/10: The largest misunderstanding we see in the wild is thinking that go-pear.phar *is* the PEAR installer program itself, and that it's what you use over and over again to install various PEAR packages. This is *not* the case.

RT @pear
5/5 What we know: We cast a wide net by asking everyone to be concerned if they'd used the go-pear.phar file in the past six months. The server restoral is ongoing, by limited staff with timezone differences between the parties involved.

RT @pear
4/5 What we know: being unsure of other potential insecurities, we took the site down in order to restore a new box from backups. A previous mirror box was set to host a "PEAR is down" single info page in the meantime.

RT @pear
3/5 What we know: no other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok, and could be used as a good md5sum comparison for any suspect copies.

RT @pear
2/5 What we know: The taint was an embedded line designed to spawn a reverse shell via Perl to IP This IP has been reported to its host in relation to the taint.

RT @pear
1/5 What we know: the tainted go-pear.phar file was reported to us on 1/18 by the Paranoids FIRE Team. The last release of this file was done 12/20, so the taint occurred after that. The taint was verified by us on 1/19.

RT @pixel5_
The null coalesce equal operator was merged into @official_php! Praise the Lord, my code is going to look SO much cleaner after this.

RT @pear
The release will be issued as a proper "PEAR release" once the server is back up.

Our thanks to @evertp for making the case for a fresh release.

RT @pear
A new v1.10.10 release of pearweb_phars is available on @github. This rereleases the correct `go-pear.phar` as v1.10.9, the file that was found tainted on the ` ` server, and now includes separate GPG signature files with each `phar`