I've not used PHP in anger in well over a decade, but if the general environment out there is anything like it was back then there are likely a lot of people, mostly on cheap shared hosting arrangements, running PHP versions older than that and for the most part knowing no better.
That isn't the fault of the language of course, but a valid reason for some of the “ick” reaction some get when it is mentioned.
> Also the language that has made me millions over my career with no degree.
Well done.
> Also the language that allows people to be up and running in seconds (with or without AI).
People getting up and running without any opportunity to be taught about security concerns (even those as simple as the risks of inadequate input verification), especially considering the infamous inconsistency in PHP's APIs which can lead to significant foot-guns, is both a blessing and a curse… Essentially a pre-cursor to some of the crap that is starting to be published now via vibe-coding with little understanding.
Not OP, and I'm no expert in the area at all, but I _do_ have a feeling that there have been quite a few such issues posted here and elsewhere that I read in the last year.
https://www.cve.org/CVERecord/SearchResults?query=io_uring seems to back that up. Only one relevant CVE listed there for 2026 so far, for more than two per month on average in 2025. Caveat: I've not looked into the severity and ease of exploit for any of those issues listed.
Did you read the CVEs? Half these aren't vulnerabilities. One allows the root user to create a kernel thread and then block its shutdown for several minutes. One is that if you do something that's obviously stupid, you don't get an event notification for it.
Remember the Linux kernel's policy of assigning a CVE to every single bug, in protest to the stupid way CVEs were being assigned before that.
If we apply risk/reward analysis, how probable is such a chain of exploits? If you already got local root, you might as well do a little bit more than a simple DoS.
Depending on how much performance would be gained by using io_uring in a particular case, and how many layers of protection exist around your server, it might be a risk worth taking.
> Accepting AI-rewriting as relicensing could spell the end of Copyleft
The more restrictive licences perhaps, though only if the rewriter convinces everyone that they can properly maintain the result. For ancient projects that aren't actively maintained anyway (because they are essentially done at this point) this might make little difference, but for active projects any new features and fixes might result in either manual reimplementation in the rewritten version or the clean-room process being repeated completely for the whole project.
> chardet 7.0 is a ground-up, MIT-licensed rewrite of chardet. Same package name, same public API —
(from the github description)
The “same name” part to me feels somewhat disingenuous. It isn't the same thing so it should have a different name to avoid confusion, even if that name is something very similar to the original like chardet-ng or chardet-ai.
This is super interesting. Exploring the basis for Free Software (the 4 liberties, Richard Stallman)... if AI-code is effectively under Public Domain, wouldn't that actually be even MORE defensive than relying on copyright to be able to generate copyleft? Wouldn't the rewrite of code (previously under any license, and maybe even unknown to the LLM) constitute a massive win for the population in general, because now their 4 liberties are more attainable through the extensive use of LLMs to generate code?
Many copyleft licences give more rights to the user of the software than being public domain would.
A bit of public domain code can be used in a hidden way in perpetuity.
A bit of code covered by AGPL3 (for instance) (and other GPLs depending on context) can be used for free too, but with the extra requirement that users be given a copy of the code, and derivative works, upon request.
This is why the corps like MIT and similar and won't touch anything remotely like GPL (even LGPL which only covers derivative works of the library not the wider project). The MIT licence can be largely treated as public domain.
Who cares if it can be maintained. The system now penalizes the original creator for creating it and gives thieves the ability to conduct legal theft at a gargantuan scale, the only limit being how creative the abuser is in making money.
With the incentives set up like that, the era of open software cooperation would be ended rapidly.
> how can a2mark ensure that AI did NOT do a clean-room conforming rewrite?
In cases like this it is usually incumbent on the entity claiming the clean-room situation was pure to show their working. For instance how Compaq clean-room cloned the IBM BIOS chip¹ was well documented (the procedures used, records of comms by the teams involved) where some other manufacturers did face costly legal troubles from IBM.
So the question is “is the clean-room claim sufficiently backed up to stand legal tests?” [and moral tests, though the AI world generally doesn't care about failing those]
--------
[1] the one part of their PCs that was not essentially off-the-shelf, so once it could be reliably legally mimicked this created an open IBM PC clone market
I don't remember him calling Linus a terrorist, though there were others that associated anything with a copyleft licence to be the loony left (or the commie left).
He certainly referred to both him and Linux as cancers though, that I do remember. He later changed his mind on that, and IIRC may even have publicly apologised for those statements.
He said Linux is a cancer, which was a stupid thing to say, but not the same as calling Linus a cancer. I say plenty of bad things about software that I would not say about the people who create it. I think Next.js is awful to use but that doesn't mean I think everyone at Vercel is an awful person, for example.
He may not have used the word cancer with respect to individuals, I can't find any such reference in a quick search, but he certainly had harsh words to say about proponents of Linux/OSS/similar.
> Small counties generate huge revenues with traffic cameras.
Whether or not that is true, I suspect it is, the best way to avoid fines for breaking traffic regulations is to not break traffic regulations. They can't make anything from you that way if you do.
Until they start changing speed limits, adjusting the timing on yellow lights, or just saying you ran a stop sign when you didn't and - oops! - they happened to have their dashcam off or their car angled so the actual intersection was just out of view.
If they are that corrupt then you have problems beyond traffic fines. Get your own dash cam and such so you can prove they are lying. No, in an ideal world you shouldn't have to, but if you have a corrupt police force you aren't living in an ideal world.
Exactly: that protection isn't happening right now because those resources are doing something else. The money would be spent anyway, but doing something that is normally considered useful, and that useful thing is not happening to the same capacity as before. Therefore there is an opportunity cost to consider.
> Sadly, this still doesn't do anything to show me that I should opt out.
Then don't. No need to be sad about it.
> I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
I do it more from a point of view of principal. I don't want following around the Internet by all and sundry who care to, any more than I want to be followed down a dar alley, for followed into Tesco by someone yelling “hey, Dave, I saw you went to the pub last night, my shop has some cheap spirits” or “hey, Dave, I saw you but a network switch the other week, do you want another one?”.
I also resist anything wrapped in many layers of dark patterns, and that describes almost all current ad tech.
> You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
If your stats knowledge and reasoning accept that, then I've got an infinite compression scheme for you. It can compress anything including compressed anythings!
You are jumping between two factors of large numbers haphazardly from sentence fragment to sentence fragment, and the logic isn't following you. At some point N-1 might make a difference, and you could be that -1.
> I do use an ad blocker, and never click on ads.
To use your argument on tracking: but many people don't, so why do you bother? What makes you think you could be the +1/-1 here but not there? And by blocking ads you are blocking a fair portion of the tracking, in fact that is why I block ads much more than the ads themselves. I don't run sponsorblock for the other side of the same reason: that doesn't affect tracking at all.
> If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
And when the database eventually leaks, many others will have the extra information about you.
And again: by blocking the ads using most ad blockers (obs not all work the same ways) you are blocking at least some tracking.
--------
But again, if you don't want to block tracking, don't. No need to be sad that we've not convinced you with our arguments as to why we try to block it. I know other devs who take your attitude (that is simply isn't worth their effort), and many others who take mine or similar (when it isn't worth the effort, the information or product behind the mountain of “legitimate interest” checkboxes isn't worth the effort either so I'll just move on). Our threat and principal models can be different from ours without either of us being bothered by the other's choices here.
That isn't the fault of the language of course, but a valid reason for some of the “ick” reaction some get when it is mentioned.
reply