Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Christian Weiske:
PEAR will probably be removed from MacOS X
Jun 29, 2017 @ 11:08:26

In a new post to his site Christian Weiske shares his interaction with the Open Source group at Apple concerning his Structures_Graph PEAR package. While they were interested in the package and its functionality but with one issue.

Fact is that Structures_Graph is used in the PEAR installer, which is shipped as part of OSX's PHP packages. Apple simply wanted to continue their current setup without changing anything

Unfortunately, Apple had issues with the package being under the LGPLv3 license. They had a concern that, in certain circumstances, the license could allow the owner access to other potentially sensitive information from the user. He lists out his options - bascially either changing the license, asking Apple for compensation or just tell them "no". Unfortunately, if they decide that having it under that license isn't acecptable, they may drop PEAR all together (as the package is a part of the installer itself).

tagged: pear osx removal macosx license issues apple

Link: http://cweiske.de/tagebuch/pear-apple-osx.htm

SenseDeep Security:
Web Developer Security Checklist
May 17, 2017 @ 10:22:34

On the SenseDeep Security site Michael O'Brien has posted a web developer security checklist you can use as a starting place towards securing your application (and developing secure applications from the start).

Developing secure, robust web applications in the cloud is hard, very hard. If you think it is easy, you are either a higher form of life or you have a painful awakening ahead of you.

[...] After you review the checklist below, acknowledge that you are skipping many of these critical security issues. At the very minimum, be honest with your potential users and let them know that you don’t have a complete product yet and are offering a prototype without full security. This checklist is simple, and by no means complete. It is a list of some of the more important issues you should consider when creating a web application.

He breaks it down into different sections with items to check off for each:

  • Database integration and data storage
  • Development environments and security scanning
  • Authentication
  • Denial of Service protection
  • Securing the Web Traffic
  • APIs
  • Validation (input and whitelisting)
  • Cloud service and Infrastructure configurations
  • General Operations and Testing

He ends with two points that are easy to forget when developing any application: determining what you're protecting against (threat modeling) and having a practiced security plan in place. Remember, checklists are a good place to start but by checking off each item it doesn't mean you're 100% secure.

tagged: developer security checklist issues suggestion

Link: https://simplesecurity.sensedeep.com/web-developer-security-checklist-f2e4f43c9c56

Liip Blog:
A quick look on the current state of Drupal 8 (ecosystem)
Jul 08, 2016 @ 10:26:31

In a new post to the Liip blog Lennart Jegge shares a "quick look" at the current state of the Drupal 8 project and some of the issues some people are having making the transition.

Eight months ago Drupal 8.0.0 was released. Exciting news for drupalists. Since then comparing D8’s features to its predecessor is a topic in daily business. "Can drupal 8 do what we can do now with 7 today?". After playing around with D8 i get the feeling some crucial features are missing.

He shares some of the features he sees as still missing (a Top 10 wishlist) and how it seems difficult to get a good overview of the Drupal 8 ecosystem. Some modules have yet to be updated and rewrites can be difficult given the major "under the covers" changes to Drupal itself.

In the end the importance of a variety of mature modules that play together nicely is crucial when it comes to efficiency, maintainability and stability of a project
tagged: drupal8 ecosystem overview opinion features upgrade issues

Link: https://blog.liip.ch/archive/2016/07/07/quick-look-current-state-drupal-8-ecosystem.html

Zend Framework Blog:
Issues, Tags, and Closures (oh my)
Apr 14, 2016 @ 10:37:52

On the Zend Framework blog there's an update from Gary Hockin about some GitHub project-level changes that will be happening soon. He'll be doing some housekeeping on the current list of open issues in the main zf2 repository.

I want to make you aware of some upcoming changes to the issues that are currently logged in GitHub. We currently have 426 open issues that are logged against the (now) meta zf2 repository. The vast majority of these are now in the wrong place, as we've split our once monolithic single repository into the many single component repositories. These issues should be moved from the zf2 repository to the correct component that the issue relates to.

He's closed some issues in preparation and tagged others with a "To Be Closed" tag for later handling. By early May all issues tagged "To Be Closed" will be finished out and/or moved to the correct locations. This will leave the project with around 100 issues to manage and to move to the right locations.

tagged: zendframework2 github repository issues closing tagged

Link: http://framework.zend.com/blog/2016-04-11-issue-closures.html

Community News:
Laravel Internals Discussion Moves to Github
Mar 15, 2016 @ 10:18:47

The Laravel project has traditionally held discussions about the internals of the framework in an IRC channel on the Freenode.net network. The decision was made recently, however, to move the development over to GitHub (most likely to make it more accessible).

There's already several issues that have been posted on the Issues list in the GitHub repository including things around:

  • improving typecasting
  • decoupling Carbon (the date handling library)
  • a fluent interface for validation
  • enhancing the localization functionality

You can give feedback or start your own discussions by adding an issue to the list or just sharing your thoughts on current topics.

tagged: laravel community issues list internals github irc channel

Link: https://github.com/laravel/internals/issues

PEAR Blog:
PEAR server fully restored
Dec 15, 2015 @ 10:33:14

As is mentioned in this post to the PEAR blog the server hosting the packages and website has been fully restored as of December 11th and should be 100% functional again.

Our server sponsor eUKhost quickly provided us with a new machine after we told them the old had failed, and the last two weeks were spent setting it up to provide the same functionality as before.

This includes not only the pear.php.net site but also the bug tracker, manual and downloads handling. They share a bit about why it took so long to correct (mostly having to do with technological difficulties with the server provided by the host). While backups did exist, they were only for the packages themselves and XML file structure. Unfortunately this did not include the website and blog database or patch files in the bug tracker. The remainder of the post lists several other smaller things that went wrong in the process, all adding up to plenty of difficulties for Christian as he battled to get the server (and services) back up and running.

tagged: pear server issues restored postmortem details

Link: http://blog.pear.php.net/2015/12/11/server-fully-restored/

Paragon Blog:
Building Secure Web Applications in PHP
Sep 21, 2015 @ 16:15:56

The Paragon Initiative has posted an article to their blog talking about how to build secure applications in PHP. Rather than try to get into the specifics of specific vulnerabilities, they stay relatively high level and stick with concepts to keep in mind and steps you can follow to ensure your development practices are secure.

Whether you're planning the development of a brand new application or trying to prevent legacy code from causing a costly data breach, if you're going to be writing PHP, where should you begin? That is the question we will attempt to answer, in detail.

The article starts with an "easy way out" for those that don't feel like they know enough or just don't have the resources they need: hire consultants. With that out of the way, the article mentions two root causes for insecure apps: lack of knowledge about security and bad development habits. They then get into some suggestions about how you can learn to understand and prevent vulnerabilities in your own applications. They focus in on a few key places for PHP developers to pay attention to, complete with some charts showing the parts of the flow. The post ends with some advice on what do to if your site is compromised anyway and how to move forward.

tagged: secure application advice common issues developer

Link: https://paragonie.com/blog/2015/09/building-secure-web-applications-in-php

Evert Pot:
PSR-7 is imminent, and here's my issues with it.
Mar 04, 2015 @ 09:26:37

Evert Pot has written up a new post today with some of his thoughts about what's wrong with the PSR-7 proposal in the PHP-FIG. PSR-7 relates to a standardized interface for HTTP request and response handling.

PSR-7 is pretty close to completion. PSR-7 is a new 'PHP standard recommendation', put out by the PHP-FIG group, of which I'm a member of. [...] PSR-7 gets a lot of things right, and is very close to nailing the abstract data model behind HTTP, better than many other implementations in many programming languages.

But it's not perfect. I've been pretty vocal about a few issues I have with the approach. Most of this has fallen on deaf ears. I accept that I might be a minority in feeling these are problems, but I feel compelled to share my issues here anyway. Perhaps as a last attempt to sollicit change, or maybe just to get it off my chest.

He breaks up his thoughts into a few different categories, each with a summary and sometimes some code to help make his point a bit more clear. He talks about immutability, how objects will be immutable and shows an example of change in how Silex would have to function to follow the standard (with before/after). He then goes on to talk about the "issue with streams" and how the current proposal could allow for changing of the incoming request into a new one with new headers...not immutable. He ends the post talking about PSR-7's stance on buffering responses and how, even if his project doesn't adopt the PSR in the strictest sense, they may still take some inspiration from it.

tagged: psr7 issues opinion phpfig http standard request response

Link: http://evertpot.com/psr-7-issues/

Symfony Blog:
The Symfony 500 + 100 Challenge
Dec 12, 2014 @ 12:48:08

The Symfony blog pas posted something they're calling the Symfony 500 + 100 Challenge, an effort to kickstart some backlog cleanup of the number of issues currently in the project's backlog.

The end of the year is approaching, and we think that this is the best time to do some backlog cleaning before fresh starting the new year. Right now there are 728 pending issues in symfony/symfony repository and 177 issues in symfony/symfony-docs.

Some of those issues were reported a long time ago and they probably refer to Symfony versions that are no longer maintained. Others would have been fixed but not closed and there could also be some duplicates. That's why we ask your help to review all the pending issues in order to close irrelevant issues and achieve much more manageable levels: 500 issues or less for symfony/symfony and 100 issues or less for symfony/symfony-docs.

If you're interested in helping out, they've included a few steps to get you started locating and claiming an issue for you to work on. They also make suggestions on how to report back issues found on bugs, feature requests and general discussion items.

tagged: symfony challenge 500+100 issues bugfix featurerequest discussion

Link: http://symfony.com/blog/the-symfony-500-100-challenge

HHVM Blog:
HHVM 3.1.0
May 30, 2014 @ 11:56:54

On the HHVM blog today they've announce the release of the latest version of the popular project, version 3.1.0. This version fixes a few issues (including a segfault) and crossed into their semi-annual "lockdown" to work directly on the project.

If you remember last time we focused on framework unit tests, performance, and growing beards. This time, our frameworks were in good shape thanks to Fred and our Open Academy students, but our github story was not as pretty. At the start of lockdown we had 60 pull requests and nearly 450 issues. So our focus this time was github health and of course as always, perf.

In the end they closed out 251GitHub issues and made things 16% more efficient in the process. They list out some of the updates in this release including:

You can grab this latest release from the pre-build packages page on the GitHub project account.

tagged: hiphop vm hhvm release version github issues

Link: http://hhvm.com/blog/5195/hhvm-3-1-0