PHP RFC: Open Release Manifests

• Version: 0.9
• Date: 2021-07-22
• Author: Mark Randall
• Status: Draft

THIS RFC RELATES TO THE RELEASE PROCESS AND SEEKS TO IDENTIFY ADDITIONAL DATA WHICH MAY BE SUITABLE TO PROVIDE

This RFC proposes that all future PHP releases, including future versions of currently maintained releases, would be published alongside a standardised manifest file containing information on the release version, description, and changes.

This RFC also proposes producing backdated manifest files for previous releases.

These manifest files would be hosted in a suitable location accessible via HTTP (probably master or github), and would become the source of truth for PHP release information, upon which other data and services could be built.

For a prototype of such data, please see: https://prototype-meta.php.net/releases/

Two types of manifests would be maintained, the first would be per-release and would contain all information that internals sees fit to include, but no less than:

• Version
• Alpha / Beta / RC / Stable
• Release date
• Download locations for source code, including file hashes
• A description (if applicable) with support for multiple languages.
• A list of changes, grouped by module, where each change includes additional metadata e.g. a bugfix number, CVE and CVSS, or author.
• A list of flags to indicate essential considerations, such as if it is a security release.

Unlike current announcements, this manifest would NOT instruct users to download the release, or state if the release was security related or not. In many cases the description would be either empty or omitted entirely.

The rationale is simple: Information contained within existing release notifications is usually either redundant or rendered obsolete within a couple of months at most, e.g. each announcement includes a notice that users should upgrade to that version, even long after that version has been superseded by a newer release.

By stripping this verbiage from the manifest description, the data becomes more useful for both processing and as a long-term archive. The sites and services consuming the data can use its contents to generate their own descriptions, such as automatically flagging security issues, and only including text encouraging users to download it if it is the latest version.

A second manifest would need to be generated that acted as a central lookup table for each of the releases, this would contain each branch, its support status including end of life dates, release managers, and the href to the XML / JSON of each point release. The latter of which should contain an attribute to indicate the most recent stable release.

Through this standardised source of truth, it will be possible to better iterate on how to present this data in other forms, such as by formatting it into HTML, and including it in APIs.

This data would then also be used to generate the necessary pages and announcements for inclusion on the existing php.net website, rather than the current process of manually editing arrays inside PHP scripts.