diff --git a/resources/ATTRIBUTION.txt b/resources/ATTRIBUTION.txt index ca6c7a1..45d6adf 100644 --- a/resources/ATTRIBUTION.txt +++ b/resources/ATTRIBUTION.txt @@ -20,3 +20,8 @@ * extra-5-confusion.svg Created by hand using https://www.svgviewer.dev/ Based on my previous work on missing-3-confusion.svg + +* php-8.5.6RC3-confusion.svg + Created by hand using https://www.svgviewer.dev/ + Based on my previous work on missing-3-confusion.svg and + extra-5-confusion.svg diff --git a/resources/php-8.5.6RC3-confusion.svg b/resources/php-8.5.6RC3-confusion.svg new file mode 100644 index 0000000..0a0500d --- /dev/null +++ b/resources/php-8.5.6RC3-confusion.svg @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + + + + + + + 1 ... 3?? + diff --git a/sitemap.xml b/sitemap.xml index ce0d788..eba471f 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -87,4 +87,7 @@ https://scherzer.dev/Blog/20260416-php86-release-manager + + https://scherzer.dev/Blog/20260430-php856-rc-3 + diff --git a/src/Blog/posts/20260430-php856-rc-3.md b/src/Blog/posts/20260430-php856-rc-3.md new file mode 100644 index 0000000..906e24e --- /dev/null +++ b/src/Blog/posts/20260430-php856-rc-3.md @@ -0,0 +1,76 @@ +--- +title: The Story of PHP 8.5.6 Release Candidate 3 +extra-classes: + - blog-page--sidebar-image +--- + +# The Story of PHP 8.5.6 Release Candidate 3 + +I have previously had to skip a non-stable release +([PHP 8.5.0 alpha3][blog-alpha3]), and to create an extra unplanned release +candidate ([PHP 8.5.0 RC5][blog-rc5]). For PHP 8.5.6 release candidate 3, I had +to do both: release candidate 2 was unplanned, and then an error led to skipping +it, resulting in release candidate 3 that I just announced. Here is what +happened. + +![PHP 8.5.6RC3 confusion](/resources/php-8.5.6RC3-confusion.svg) + +## Uriparser vulnerability + +When PHP 8.5.6 RC1 was tagged and [announced][rc1-announce], it was expected to +be the only release candidate. However, earlier this week a vulnerability +([CVE-2026-42371]) in the [uriparser library][uri-lib] was +[disclosed][uri-disclosure]. That library is bundled with PHP 8.5. + +On Monday, a pull request, [#21890][gh-21890], was opened for PHP to update the +bundled library to the latest version, where the vulnerability was fixed. Since +the vulnerability was in an upstream dependency and had already been announced +publicly, this security fix was performed in public on GitHub, rather than in +private [as described in PHP's security policy][php-sec-policy]. + +I merged that change, and cherry-picked it to the PHP-8.5.6 branch. So far, +everything was relatively familiar - I had done something similar for the extra +release candidate for PHP 8.5.0. Seeing no regression reports or other fixes +that needed to be included in PHP 8.5.6, on Tuesday I proceeded to tag and +build a second release candidate. Everything was going as expected; RC2 was +unplanned, but I've had to deal with unexpected release candidates before. + +## ext/dom compilation + +On Wednesday, before I had announced the second release candidate, a bug report +was filed on GitHub ([#21911][gh-21911]). On Windows only, when trying to build +the dom extension in shared mode (`--with-dom=shared`), compilation would fail. +The cause was a problematic upmerge from PHP-8.4 to PHP-8.5 when updating to a +newer version of the [lexbor library][lexbor-lib]. As a result of some internal +reorganization between PHP 8.4 and 8.5, the lexbor upgrade placed some +dependency files in incorrect locations in PHP 8.5. + +Normally, when bugs are resolved the fixes go out in the next bugfix release +that is not already in progress, meaning PHP 8.5.7 in this case. However, this +was a bug that was introduced *after* PHP 8.5.5 was released - in other words, +it would have been a regression between PHP 8.5.5 and 8.5.6. In those cases, +if fixes are available in time they are included immediately. This is the whole +reason we use release candidates: to catch regressions before they reach a +stable release. + +Since I had already tagged and built PHP 8.5.6RC2, this meant that a third +release candidate was needed. I cherry-picked the fix and tagged and built a +new release candidate, PHP 8.5.6RC3. + +## Looking ahead + +For most patch releases (i.e. PHP 8.5.X) only a single release candidate is +needed. Building three candidates is rare, but it happens (e.g. PHP 8.3.1RC3). +Hopefully, no new issues are found and PHP 8.5.6 can be released as scheduled +next week. + +[blog-alpha3]: ./20250801-no-alpha-3 +[blog-rc5]: ./20251113-release-candidate-5 +[gh-21890]: https://github.com/php/php-src/pull/21890 +[gh-21911]: https://github.com/php/php-src/issues/21911 +[lexbor-lib]: https://lexbor.com/ +[rc1-announce]: https://news-web.php.net/php.internals/130688 +[CVE-2026-42371]: https://nvd.nist.gov/vuln/detail/CVE-2026-42371 +[php-sec-policy]: https://github.com/php/policies/blob/67fbca9739e3de9823c297cdb9a938e3b532be93/security-classification.rst#handling-issues +[uri-disclosure]: https://www.openwall.com/lists/oss-security/2026/04/27/2 +[uri-lib]: https://uriparser.github.io/ diff --git a/tests/data/Home.html b/tests/data/Home.html index e4e90fd..2b0c81c 100644 --- a/tests/data/Home.html +++ b/tests/data/Home.html @@ -4,6 +4,9 @@ Computer Science and Political Science and graduating magna cum laude in 2024 with a Bachelor of Science degree. As part of my work in Computer Science, I chose to write an honors thesis in my senior year, see here for details. I continued at Tufts for graduate school, graduating in 2025 with a Master of Science in Computer Science degree.

See the links in the navigation bar above for more information about my -experience.

Contact

Blog

I also have a blog. You can see a full index of my posts here. My latest blog post is:

PHP 8.6 Release Manager

Thursday, 16 April 2026

I'm excited to announce that I will be serving as the "veteran" release manager -for the PHP 8.6 release cycle. In that role I will be mentoring two new -"rookie" release managers to ensure a smooth and successful release process. Continue reading...

Content is © 2026 Daniel Scherzer
\ No newline at end of file +experience.

Contact

Blog

I also have a blog. You can see a full index of my posts here. My latest blog post is:

The Story of PHP 8.5.6 Release Candidate 3

Thursday, 30 April 2026

I have previously had to skip a non-stable release +(PHP 8.5.0 alpha3), and to create an extra unplanned release +candidate (PHP 8.5.0 RC5). For PHP 8.5.6 release candidate 3, I had +to do both: release candidate 2 was unplanned, and then an error led to skipping +it, resulting in release candidate 3 that I just announced. Here is what +happened. Continue reading...

Content is © 2026 Daniel Scherzer
\ No newline at end of file diff --git a/tests/data/blog-index.html b/tests/data/blog-index.html index ab674cf..9a7a2fa 100644 --- a/tests/data/blog-index.html +++ b/tests/data/blog-index.html @@ -1,5 +1,10 @@ -Blog index
HomeRésuméOpen SourceWorkBlog

Blog index

PHP 8.6 Release Manager

Thursday, 16 April 2026

I'm excited to announce that I will be serving as the "veteran" release manager +Blog index

HomeRésuméOpen SourceWorkBlog

Blog index

The Story of PHP 8.5.6 Release Candidate 3

Thursday, 30 April 2026

I have previously had to skip a non-stable release +(PHP 8.5.0 alpha3), and to create an extra unplanned release +candidate (PHP 8.5.0 RC5). For PHP 8.5.6 release candidate 3, I had +to do both: release candidate 2 was unplanned, and then an error led to skipping +it, resulting in release candidate 3 that I just announced. Here is what +happened. Continue reading...

PHP 8.6 Release Manager

Thursday, 16 April 2026

I'm excited to announce that I will be serving as the "veteran" release manager for the PHP 8.6 release cycle. In that role I will be mentoring two new "rookie" release managers to ensure a smooth and successful release process. Continue reading...

Introducing define_deprecated() for PHP

Friday, 10 April 2026

In PHP 8.5, I introduced support for attributes on constants, which allows marking compile-time global constants as deprecated. However,