php.net is a user on mirrored.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

php.net @official_php@mirrored.social

Announcing Release Managers for PHP 7.4 (Alpha: 6 Jun, GA: 21 Nov):

* Peter Kokot
* Derick Rethans

7.4 is expected to be the LAST branch of the PHP 7 series. Watch for PHP 8 in 2020.

externals.io/message/104581#10
wiki.php.net/todo/php74 

RT @nikita_ppv
New RFC for arrow functions / short closures: wiki.php.net/rfc/arrow_functio

Uses fn($x, $y) => $x * $y syntax and implicit by-value binding of variables. The RFC has a detailed discussion on why we're unlikely to get the more popular ($x, $y) => $x * $y syntax...

Happy Birthday to The Web!
Best Friends Forever!

Listen up, PHP devs-all,
I've got a brand new tarball.
It's a security release,
so I'm begging you please,
Download and hit make install.

7.3.3: news.php.net/php.internals/104
7.2.16: news.php.net/php.internals/104
7.1.27: news.php.net/php.internals/104

RT @pear
10/10: The only community of users that likely interacted with a go-pear.phar file is someone that has PHP already and wanted to manually install PEAR themselves, and chose to manually download go-pear.phar to do it. Once PEAR is installed, go-pear.phar would not be used again.

RT @pear
9/10: If you manually installed PHP and it included a PEAR installation during its installation, it is hugely unlikely that go-pear.phar was pulled in for that task (it uses install-pear-nozlib.phar instead)... and even more unlikely that you would have used it on that system.

RT @pear
8/10: If you installed PEAR on your Linux system using your distribution's package management tool, it is hugely unlikely that go-pear.phar was included with it... and even more unlikely that you would have used it on that system.

RT @pear
7/10: If your system has PHP and PEAR preinstalled, it is hugely unlikely that go-pear.phar is on it... and even more unlikely that you would have used it on that system.

RT @pear
6/10: The largest misunderstanding we see in the wild is thinking that go-pear.phar *is* the PEAR installer program itself, and that it's what you use over and over again to install various PEAR packages. This is *not* the case.

RT @pear
5/5 What we know: We cast a wide net by asking everyone to be concerned if they'd used the go-pear.phar file in the past six months. The server restoral is ongoing, by limited staff with timezone differences between the parties involved.

RT @pear
4/5 What we know: being unsure of other potential insecurities, we took the site down in order to restore a new box from backups. A previous mirror box was set to host a "PEAR is down" single info page in the meantime.

RT @pear
3/5 What we know: no other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok, and could be used as a good md5sum comparison for any suspect copies.

RT @pear
2/5 What we know: The taint was an embedded line designed to spawn a reverse shell via Perl to IP 104.131.154.154. This IP has been reported to its host in relation to the taint.

RT @pear
1/5 What we know: the tainted go-pear.phar file was reported to us on 1/18 by the Paranoids FIRE Team. The last release of this file was done 12/20, so the taint occurred after that. The taint was verified by us on 1/19.

RT @pixel5_
The null coalesce equal operator was merged into @official_php! Praise the Lord, my code is going to look SO much cleaner after this. github.com/php/php-src/commit/

RT @pear
The release will be issued as a proper "PEAR release" once the server is back up.

Our thanks to @evertp for making the case for a fresh release.

RT @pear
A new v1.10.10 release of pearweb_phars is available on @github. This rereleases the correct `go-pear.phar` as v1.10.9, the file that was found tainted on the ` pear.php.net ` server, and now includes separate GPG signature files with each `phar`.github.com/pear/pearweb_phars/