Hacker News new | past | comments | ask | show | jobs | submit login
WordPress on .NET (peachpie.io)
404 points by pchp on Feb 28, 2017 | hide | past | favorite | 164 comments

This seems to be built on an open-souce PHP->CLR compiler called Peachpie[1]. Interesting project. I don't have any PHP codebase that I still maintain but looking forward to trying it with some scripts I've written back in the days. I wonder if it would be faster than PHP 7 - which is already very fast (ok, just found these: http://www.peachpie.io/benchmarks ).

[1]: http://www.peachpie.io/

[edit] If the author is looking, a few nitpicks from the website:

- A blank page is shown if browser doesn't load 3rd party scripts by default

- After enabling them, the scroll wheel doesn't work

- Typo: "free completely to use" -> "completely free to use"

- "Run PHP apps on the most secure platform available, Microsoft .NET" -> I also admire the platform but most secure? Comes off a bit too strong.

Just noticed a similar comment below - the openssl library which PHP is strugling with with every update. Peachpie uses the one in OS through the .NET being updated e.g. by Windows Update. So maybe "most secure" is too strong, but it is definitely more secure.

Never had any problems with PHP and openssl. Did I miss something or is this specific to the windows platform? (It's been a while since I updated PHP on a Windows system the last time).

Interesting. I had heard of https://github.com/DEVSENSE/Phalanger the predecessor to PeachPie.

>I also admire the platform but most secure? Comes off a bit too strong.

There aren't a lot of .NET exploits for a variety of reasons. Its pretty much the Java of the MS world so a lot of issues more liberal languages have, it doesn't, especially in regards to buffer overflows. Its attack surface is also pretty low as it only really inter-operates, by default, with a limited number of MS applications and is frequently the most common setup, while PHP supports anything and everything. Http.sys also seems like a more secure product than openssl.

That said, its also the minority platform so it benefits from a lack of effort to target it. I also worry that the closed nature of the platform could lead to someone(s) building up an army of zero days while the more open stuff gets discovered and disclosed faster. I'm not sure how realistic that fear is.

At my job we're always scrambling with our FOSS architecture in regards to emergency patching. The MS stuff is more or less 'do monthly patches and forget.'

> I also worry that the closed nature of the platform

.Net Core is 100% open source.

> Http.sys also seems like a more secure product than openssl

How is a goddamn HTTP parser in THE KERNEL more secure than a crypto/TLS library?

http.sys is a fundamentally horrendous idea, see CVE-2015-1635 https://technet.microsoft.com/library/security/MS15-034 An exploited HTTP parser shouldn't lead to RCE "in the context of the System account".

The .NET Core example in the article uses the ASP.NET Core Kestrel server which operates entirely in user mode.

I know about Kestrel, I'm responding to that particular phrase in the comment :)

That's mostly client-side and easily avoided by not using IE/Edge. .NET uses its own library as well I believe. Not sure what the default is.

Historically, the schannel infrastructure has been secure, especially as compared to openssl.

>How is a goddamn HTTP parser in THE KERNEL more secure than a crypto/TLS library?

Because, lets face it, openssl is a shit project of legacy code no one wants to fix and https a design by committee standard no one can work well?

"an attacker would have to send a specially crafted HTTP request to the affected system"

"Disable IIS kernel caching"

That's definitely not client-side at all. IIS is the thing that uses http.sys, and classic ASP.NET apps (not the new Core stuff) are usually deployed with IIS.

http.sys has ifdefs to support one platform, in one configuration. Meanwhile, https://mta.openssl.org/pipermail/openssl-dev/2015-January/0...

The number of config permutations in openssl is staggering, and that has to have an effect on the overall test coverage - which probably affects the number of bug that pass through testing.

Thanks for this, will fix asap.

I've been following the peachpie project for a while. The effort they put in is very impressive.

They choose to heavily modify the C#/VB compiler (Roslyn) to handle php syntax. Microsoft should be investing time into helping them succeed, it would be great to see the Roslyn compiler platform become more broadly used.

Microsoft is doing quite a bit of supporting, can't complain there :)

It's so smart to do that, Roslyn provides a good design, keeping a rich syntax tree that can help for language tooling (auto-completion), so Language Server for VSCode is for free and all backends too.

I work at a large company and we are starting to branch out into other languages. the problem is most of our infrastructure in .NET. Something like this would be really cool as it would allow us to utilize PHP while not asking too much of infrastructure team. I might put in an OSS approval request for this.

I think you might be the first case I've heard of of someone wanting to go from .NET to PHP.

Most of my work in the past few years has been migrating .NET projects to PHP for enterprise clients. Especially with PHP 7, the performance is good, it's easier to hire for, and the total cost of ownership is lower. The doomsayers predicting poor security are wrong - it is just as possible to build a secure PHP system as a secure .NET system, and just as easy to build an insecure one.

Of course, it depends on the project and the company, so this isn't a universal truth. But there are definitely a lot of companies out there spending a fortune on a .NET stack that are looking to move to a PHP open source stack for good reasons.

Not sure that's true. Out of the box ASP.NET has request validation enabled by default that screens out lots of opportunities for XSS https://www.owasp.org/index.php/ASP.NET_Request_Validation PHP doesn't have that for example.

> PHP doesn't have that for example.

Bare PHP, sure, but pick basically any framework that any modern PHP-based web app is built on and then it does, no?

Symfony certainly offers it.

I'm a bit new to .Net but doesn't the shift to .Net Core hosted on Linux and compatible with MySQL/PostgreSQL address all these concerns?

We literally spend millions on licensing Share Point to do what WordPress can do much better and easier. I'm not saying we're going to start writing everything in PHP, but being able to experiment with WP could affect the bottom line in a big way.

It might be a personal thing, but if I had to choose between working for a customer A with SharePoint and customer B with WP, I wouldn't hesitate to choose customer A, even with SharePoint 2007.

May I ask why?

PHP and the overall quality of average WP code?

Honestly, I think I'll take 'average' php code over 'average' .NET code, I just did a 18 mo. stint at a .NET enterprise environment after 8+ yrs of PHP(Drupal, so maybe the bar is higher, not saying it is, but maybe).

I don't have any substantive evidence for this, but I suspect you'd see very different characteristics among people who work on SharePoint and, say, MVC/WebAPI.

Vastly. People who develop sharepoint tend business focused people or ex IT people.

People who develop in MVC tend to be developers.

That explains why all the information you can find about SharePoint development is so muddled I guess.

I started out as a PHP web developer and started developing in .NET when it was released. At this stage, I've been developing applications in .NET for 15 years. Whenever I have to look at a PHP project or ASP classic project, the code quality is usually much worse than other languages. ASP and PHP make it really, really easy to do things wrong.

How can that be any worse than the average quality of sharepoint code?

Static typing and C# disallow many of the typical PHP code patterns I have seen in the wild.

There are a lot of creative ways around strict typing in c#, I spend my days dealing with them. I just finished working on a section that managed to combine the speed of c# with the expressiveness of assembly...

I would look at sitecore. It's still .net, but it is closer to wordpress in that you wouldn't necessarily build a sharepoint in it, but you can build pretty much anything else in it.

Disclaimer, I work on the UX/UI side of a company that focuses solely on sitecore.

I only had a project with Sitecore, v6.5 at the time, and really enjoyed using it.

Just the overall replication of Windows desktop for the backend management UI seemed a bit extreme. :)

Yeah it was a bit odd for me too, coming from PHP and node land. Most of the editing should be done in the experience editor.. which is fairly WYSIWYG in context editing. Concrete5 still does that part of it better. Sitecore has a lot of engagement value scoring and content a/b testing built into it.

Thanks for sharing this, but what exactly does this provide that WP doesn't to justify the cost?

I'm not familiar with the product, but surely leveraging existing expertise has some value.

I'm rewriting a legacy ASP application to PHP right now, and this isn't my first. Though the code is not .NET, .NET was the obvious upgrade path yet it was decided that moving to PHP was preferable for a variety of reasons. You already know the non-technical reasons (inexpensive Linux servers, easy to find devs, MySQL licensing vs MS SQL Server licensing, etc) but PHP 7 is extraordinarily performant and (as a VIM user I cannot believe that I'm saying this) with a good IDE such as PhpStorm it is an absolute pleasure to write and maintain.

Being able to use PHP for templating on .NET would be really nice. Webforms suck. Razor is okay, but the syntax isn't as easy for non-programmers to understand.

Agreed. It's usually the opposite, especially in enterprise. People on HN get in their bubbles and forget that most large businesses use Windows.

This is on .NET Core, so you can actually run this anywhere! I do a lot of Core development on a Mac, but it runs well on AWS/Linux/my toaster.

Weird times, huh?

Out of curiosity, why do you use .NET? (Assuming you use Mac/AWS/etc because you like them)

Not the person you asked but I also develop .NET Core on a mac. I like .NET because I can use C# which is my favourite language, and the new ASP.NET Core framework is very clean, modern and straight to the point. There's very little magic and it's performant and productive.

Dapper for data access is also fantastic for the same reasons.

For me, it's because I love C# (and F#, which I'm still learning).

Because C# is awesome. The most intuitive OO language I have ever used.

That makes it sound like 'people on HN' are trapped in some sort of enterprise-proof foam. Which is unlikely.

I laughed at that. As much as I still shun MS platforms, I have never heard anything good about PHP as a language other than "it worked and was available at the time". Why someone would migrate in this direction is beyond me ;-) but that's just my opinion of course.

Critical mass, availability of developers, good documentation, free. There are many reasons why people pick one technology over another.

Or "facebook uses it". That one tends to go far.

Didn't they start with it and migrate away?

They use something called HHVM, which is a PHP compiler.


And Hack, their language for HHVM that's basically "static types bolted on to PHP".


An aptly named language if there ever was one.

Hack is more than that. Hack solves every little stupid mistake PHP has as a language. It is a good language developed by smart people, has rules to avoid pitfalls and rules to make things more certain. It retains only the syntax of PHP, but in strict mode, hack can be compared to any other good language.

Aren't C# devs at least as easy to find as php devs already? This would vary regionally I suppose. I'd worry about the future availability of php devs if node/.NET keep growing as open source web backend platforms.

And .NET is as free as php?

Not in places where wages are low.

Cheap for employers is what i'm hearing, but isn't really an incentive for an employee..

It is for employees in countries where there are few or no alternatives.

I would suggest a number of other languages you could consider that are better languages than PHP.


I think "better" in this case is relative.

Yes, there are objectively better languages than PHP in terms of design and consistency, but even I'll admit it's difficult to match the shear volume of FOSS libraries, applications, and the huge number of people who know it if you're targeting the web.

Besides, if Peachpie expands the .NET ecosystem to include PHP's, isn't that a win for developers who may be stuck with that platform? I'm not a .NET developer, so I'm sure to be missing something here.

Yet half the web runs PHP. Why? PHP offers good functionality out of the box. Unlike these languages where you will need a hundred-thousand dependencies to build a cms. That is also why porting PHP to .net is not as simple as porting any of these.

Hi, thanks for your comment. Please email us at info at iolevel dot com and we can take it from there.

Err, deploying PHP on IIS is actually very basic.

Running PHP and indeed WordPress on the .NET CLR seems like a great way to eliminate a whole tranche of bugs/vulnerabilities in one swoop. Respect.

How so? A PHP runtime running WP on .NET needs to be bug-for-bug compatible with the real thing (and I've heard early PHP APIs aren't exactly a paragon of API design).

Also, why would php-on-net be updated more often than one of the most used runtimes on the web?

If only the .NET version would use proper security (no permissioner to modify files, sandboxed plugins, ....) then yes. But that would be a rewrite.

Otherwise the .NET version only remedies vulnerabilities in php and not those in WordPress or its plugins.

True, I've been noted, for example, about issues with openssl library, which is updated with every update of PHP ... while Peachpie uses the one provided within .NET which might be more frequently updated by Windows Update.

This is amazing and from the comments I've heard that Microsoft is around supporting the development of this? Is there any MS material mentioning this effort? I'm really impressed by your work

there are links to MS blogs and livecasts http://www.peachpie.io/resources and of course youtube channel https://www.youtube.com/channel/UC5Hh61n9HFyqYbU4iFkqy4A

We made two appearances on the Channel 9 show "On .NET" and one on DotNet Rocks. They also mentioned it a few times on some blogs.

<3 this! any idea on when it will be production-ready?

What's the benefit over running a standard PHP-Interpreter?

Haven't used PHP or WordPress since 2010 so I might have missed something but to me this looks more like a tech demo then something one would use in a production environment.

I remember from the PHP on Java that there were huge performance benefits. So large PHP hosts should see benefits.

Currently there are few microbenchmarks on http://www.peachpie.io/benchmarks Expecting to be updated soon

PHP 7 improved performance by around 3x compared to PHP5, so I wonder how true that still is.

The benchmarks http://www.peachpie.io/benchmarks show peachpie outperforming PHP7 easily by 100x.

For some of the operations highlighted, which are (naturally?) selected to impress. For others, the multiple is in single digits.

WordPress doesn't run 100X faster on Peachpie, but it'd be very interesting to see "real" benchmarks. Even a 2X improvement (vs the latest PHP 7, of course) would be compelling.

On Azure, without Opcache enabled. That's not a very good comparison.

I would strongly suspect that the fact it's without opcache by itself makes it pretty much meaningless for any kind of a real-world application.

Yes, and look at the avg response times. It looks likely that the webserver can't handle the load. The number of concurrent requests should be limited.

While I do know that Azure is owned by Microsoft I'm not so sure on why it's such a valid argument.

In the end it's not like they're actively trying to ruin languages other than C# on their servers? Especially since that would ruin it for a lot of customers?

I would guess that .NET is more optimised on Azure, whereas PHP is not. So you're comparing an optimised installation of .NET against an unoptimised installation of PHP. In general, a benchmark saying "compares various metrics" is pretty meaningless.

I know, but is there any proof of this? And how can we be sure that the .NET environment is better optimised than the PHP environment? I would find it weird for them to shoot themselves in the foot like that. Since if someone were to make a decent blog post that showed proof they'd only have C# programs on Azure...

This all being said they're pretty transparent with their benchmarks. They supply all the code that they've used and are even comparing it to another project which aims to do the same.

I guess I'm just a bit angry because people are just saying "It's unfair" while they can easily do the tests themselves and then call someone out for it.

It's less about being unfair, more about it lacking much value as a benchmark.

The context of the parent to which I originally replied was suggesting that .NET was 100x faster than PHP 7. So I'm pointing out that claim is rather like saying "I'm faster than Usain Bolt". You're right that I don't think the original article was making such a claim.

Unfortunately those benchmarks don't compare against HHVM :/.

We will produce these benchmarks soon, but HHVM is pretty difficult to configure and we have not focused on optimizing our compiler much yet, so the performance is likely to change drastically over the coming months.

a few comments above said php7 was running without opcode cache, hhvm is even more about caching setups than php7...

Tried the TechEmpower plaintext benchmark using Peachpie: Requests/sec: 305,612.35


Hard to say. We want to test it thoroughly before releasing version 1.0. Also, we are still missing a few key functions/constructs of PHP, such as eval() or PDO. A rough timeline would be "a few months" :)

I don't care about performance, show me if security has improved!

(which in the case of Wordpress can't be that hard)

WordPress security is complex.

The core code is OK, security wise. Comparible to similar projects, I guess.

The two major issues are that typically PHP runs with permission to modify the WordPress directory, which is useful for automatic upgrades, but means any exploit in any plugin, theme, etc. instantly becomes, "can replace WordPress".

The other is that all themes and plugins are completely unsandboxed, and the quality is extremely variable.

The permissions thing can be fixed, by running a very stripped down wp-php user with only read access to the code, and only write access to wp-contents/uploads (and a logging dir). Then you do automatic upgrades with wp-cli and (real) cron from a user with write access.

The quality of plugins and themes is not easily fixed.

The API for writing plugins and themes doesn't help. It's archaic, spaghetti, and doesn't have any kind of coherenc. Global functions like wp_is_home(), the_loop(), get_sitename(), etc.

I've come across themes which bundle joomla inside them as they're really joomla themes with a shim.

> OK, security wise

Since when is implementing your own home-grown shitty replacement for parameterised queries "OK"?

Since you need to support versions of PHP that don't support the extensions that have parameterized queries.

Except… you don't?

> WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such may expose your site to security vulnerabilities

> PDO ships with PHP 5.1, and is available as a PECL extension for PHP 5.0

Unless you mean "hosts that disabled PDO"… I think they can safely be ignored.

PDO is disabled by default, and was even on default installs of 5.6 last I checked.

Most Linux/BSD distributions seem to separate out "core" PHP extensions (those that are distributed with php source, not via peel) into individual packages.

So while PDO may not be installed by a plain `apt-get install php5` or similar, I doubt the now deprecated `mysql` extension is installed by "default" in those scenarios either.

Edit: this approach also means that the PDO extension in php.ini will be commented, because its loaded by a package specific ini file e.g. /etc/php/7.0/fpm/conf.d/* which are generally symlinks to /etc/php/7.0/mods-available/

Yeah — 'mysql' wouldn't be installed either on FreeBSD if you just install php. So typically hosting providers install all the extensions.

What "default"? Compiled from source? Debian package?

Just checked, seems enabled by default on FreeBSD.

(Commented out in php.ini doesn't mean disabled — here it's enabled in separate files like /usr/local/etc/php/ext-30-pdo_mysql.ini)

MODX Revolution uses PDO exclusively, never had problems with it on any hosting service.

I don't really understand your point. WordPress is ubiquitous. Until today I've never heard of MODX Revolution.

Commented out in php.ini does mean disabled - as in not enabled. PDO isn't enabled by default in FreeBSD you still need to install a separate package for PDO.

His/Her point was that if someone is still using shared hosting (where they can't change the extensions available) it would be very rare to find one that doesn't have PDO enabled.

> Commented out in php.ini does mean disabled - as in not enabled.

Not necessarily, as I explained here: https://news.ycombinator.com/item?id=13761550

Which version of PHP does WordPress support that doesn't support parameterised queries?

Here's a hint: Wordpress since v3.3 needs PHP 5.2+. MySQLi was added in PHP 5.0, PDO in 5.1

WordPress v3.3 was released in 2011.

> WordPress security is complex.

This must be an oxymoron since complexity is the enemy of security.

I think what you meant to say was

> WordPress security is at best ad-hoc, and mostly non-existing

I was replying to

> show me if security is improved! > (which for Wordpress can't be that hard)

that is, to say that the concept of 'WordPress Security' isn't a single simple thing to 'improve'. Unfortunately. If you wrote a set of 10 jillion tests and proved that wordpress core has no possible security vulnerabilities (humour me), that still would not fix 'WordPress Security'.

From a theoretical point of view, you're absolutely right, and I agree with you.

From a practical point of view, WordPress is often 'good enough', and 'works well enough', and has 'few enough security issues', for many people.

Improving security is great, but it's a complex, perhaps impossible problem.

I'll do you one better.

We're hosting a private-facing WordPress with several custom post types and some custom fields using ACF Pro. Then we pull directly out of the database with some not-too-complex and fast SQL queries and build a static site with Jekyll. The whole thing is about 200 lines of Ruby + a bunch of configuration for each post type. I'm working on making this a little more generic, because this thing really smokes.

In migrating to this, I'm doing a similar process with our previous mess of a WordPress site by pulling from the DB and writing JSON. WP All Import + ACF plugin takes care of the rest.

All uploads are now served out of S3 buckets and our editors write Kramdown now instead of HTML and inline CSS. We can easily A/B test or Multi-Armed Bandit now too.

It would have been a lot easier if the Wordpress REST API weren't a piece of junk. SQL is consistent at least.

How are you handling all the rendering that WP needs to do on a post (e.g. shortcodes, special HTML formatting, etc)? ... or are you just forcing your users to write Kramdown and leaving out things like shortcodes? IMO, the worst parts about Wordpress are: 1) complete coupling of data to PHP and 2) the absurdly terrible DB schema.

I disabled the default toolbar with shortcodes and replaced it with my own with Kramdown versions. I hooked the Add Media button to output Kramdown instead of HTML as well. Also we're having our editors write Kramdown.

Lastly, when pulling all the data, I determine if the post is HTML or Kramdown and use the Kramdown library to parse the HTML.

Everything migrated from the old site was automatically converted to Kramdown this same way and had to have some minor cleanup work done on each post. Not a small task on our main WordPress site with 7000+ posts/pages.

The interesting part was that wp_autop() happens at render time, so to get Kramdown to parse the HTML correctly, you actually have to RegExp replace '\n\n' with '<br /><br />' first to preserve paragraphs.

I'd love to hear what problems you've had with the WP REST API. Always looking at ways to make it better.

Some of them are just bizarre. We have like 14 different WordPress sites with varying degrees of customization. Oddly, some of our most basic WordPress sites (basically zero plugins) would return _no results_ when querying for Posts. Especially in our Multisite instances. Especially in our sites that hook parse_request. Some others would return inconsistent results for the same queries. Custom post types would most-consistently not return sensible results. Entries in the wp_postmeta table stored via ACF Pro seemed essentially inaccessible.

Most annoying though is that the API returns paginated posts but without returning data about how many posts there are or what page you're on. IIRC, there was a hard limit on returning max 100 posts per query. Might have been higher but significantly less than the number of posts we have. It was a total nonstarter unless we could guarantee that we could make and return enough queries to return all the posts before anything changed. With a 40+ content team that's impossible.

Sorry that I can't be more accurate than that right now.

Side note: I don't know if this has been said before, but ACF Pro is like the single most essential WordPress plugin for dev teams who know what they're doing. That plugin combined with some dev time replaces the need for like 99% of anything else that we would need to install. Please consider doing whatever it takes to make that plugin part of WP Core. Installing it on any site is a really sensible thing to do. That said, their field labels ("field_<somedigits>") really should be replaced with a GUID.

You're seriously out of touch if you think the WP Core is not secure. You must realize they have a very competent team (https://automattic.com/), not to mention thousands of OSS developers that continually contribute. Does your company, or does this small team of techs even come close?


not even have a very competent team can put enough lipstick on this pig:


What you're missing is that these security exploits are discovered, patched and disclosed. The same can't be said about most tech services / products. Security through obscurity is not a viable strategy.

What has this to do with security through obscurity??

WP security is like Whac-A-Mole, you patch one serious issue and two more pop up. It has been like this for years which shows that the developers don't have the correct mindset to write internet facing code.

I pointed you to a SQL injection / remote execution vulnerability in the WP core, in 2017 for gods sake.

Perhaps, but WP also has a large user base from which to pull from so I would hope vulnerabilities get discovered and patched quickly. However, I think it's quite telling that such a popular project still has issues with SQL injection even with so much active development apparently going on.

This is very clever, what is the performance like compared to PHP?

From their benchmarks page (which looks remarkable)


Remarkable, but as bleeding-edge tech I think it's disingenuous to include PHP5.6, which is now only on security support. I know many PHP sites run this version and even older ones, but I think the audience for a project like this are PHP7 developers.

That said, I was really impressed by the improvement on require performance. The requests/sec also seem to have big gains.

I also wonder what security improvements other are expecting from this? Isn't unsecure code unsecure regardless of language?

CLR imposes lot of requirements for an assembly to run, that would definitely improve security esp. when comparing it to a interpreted language.

Ah ok. In terms of security I don't tend to think of memory safety, etc. especially since PHP processes die fast. I thought everyone was talking about SQL injections and the like so I was very confused

Thanks for clarifying!


Wow those are interesting.

SQL Injection is still an issue if there are string concats every where and calling the DB, so that is something, that can still happen.

That's quite a blowout.

Any chance we can get PHP's HashDoS vulnerability removed if we switch to PeachPie?

PHP 7.2 will make libsodium a core extension, so if you use that, you can make use of SipHash-2-4.

Interesting question. Beside that ASP.NET limits request size, Peachpie uses .NET hash function that differs from that used in PHP. Am I close ?

Several years ago I used to run a WordPress blog on IIS 7 using FastCGI. The performance wasn't great but acceptable for a small blog. Wonder how this compares.

It is faster

Your developers were so preoccupied with whether or not they could, they didn’t stop to think if they should.

That's an assumption on your part. What a terrible comment.

He's quoting Jurassic Park. The idea is that the technology does something that would normally be considered highly unusual or even ridiculous to consider, like running a very complicated code base through a transpiler to make it run on another tech stack. Generally speaking, this kind of comment would be a compliment. Sort of along the lines of "wow, that's absolutely crazy, you did something no one would have thought possible, good work".

It's a much more light-hearted comment than you seem to think it is.

I don't care what he's quoting and to see this as 'light-hearted' (without any further elaboration on the part of the OP) is extrapolation.

FWIW the comment in the movie is also a negative one.

> John Hammond: I don't think you're giving us our due credit. Our scientists have done things which nobody's ever done before...

> Dr. Ian Malcolm: Yeah, yeah, but your scientists were so preoccupied with whether or not they could that they didn't stop to think if they should.

> John Hammond: Condors. Condors are on the verge of extinction...

> Dr. Ian Malcolm: [shaking his head] No...

> John Hammond: If I was to create a flock of condors on this island, you wouldn't have anything to say.

> Dr. Ian Malcolm: No, hold on. This isn't some species that was obliterated by deforestation, or the building of a dam. Dinosaurs had their shot, and nature selected them for extinction.

> John Hammond: I simply don't understand this Luddite attitude, especially from a scientist. I mean, how can we stand in the light of discovery, and not act?

> Dr. Ian Malcolm: What's so great about discovery? It's a violent, penetrative act that scars what it explores. What you call discovery, I call the rape of the natural world.

You are far too serious a person.

I actually stand by the sentiment. Wordpress is a virus, and like jQuery, it has negatively impacted the development scene of the language is lives in. PHP, on the cusp of becoming a more respectable language (I freely admit my love for PHP, to this day, even though I primarily work in Java and Python now), was taken over by WP "developers" who flooded the market and sell themselves as engineers when all they can do is copypasta a few wordpress idioms.

I don't hate on wordpress itself, its a fine, though early on troubled codebase. The predatory community it has created, the security issues it continues to create, and the low-barrier to entry that floods the market with a ton of really bad code isn't something I would want to bring into another language's world.

And here's where the light-hearted part comes in... I know that projects like these would NEVER actually cause that kind of effect on their language because nobody would take it seriously... but the analogy of what COULD happen (you know, fictional, like ridiculous unrealism of the base concept of the movie) was apt.

I fail to understand why in a world so caught up in negativity and rigidness, people chose to not allow themselves to enjoy or notice light-hearted humor, and actively defend their stance against it, as if somehow eliminating light hearted jest is a benefit to a world already buried in such negativity...

The person posting this went out of his way to try to do some good. Instead of taking them down with cheap shots: What have you done to give the PHP world (better?) options?

If everybody that railed on others creations would instead spend the time to provide better alternatives then we wouldn't be having this discussion. But cheap shots are cheap and work is hard.

It can be negative and still light-hearted. The phrase itself has become a meme, usually applied to stuff like KFC's Double Down.

One could argue PHP had its shot.

You could, but you'd be ignoring the realities on the ground:

Wordpress powers a vast chunk of the web[1], whether we like that or not, and frameworks such as Symphony a good bit of the remainder.

For the love that Clojure, Rust etc get on HN their over-representation should not lead you to believe that 'PHP has had it's shot', PHP hasn't had it's shot by a long shot...

[1] https://managewp.com/statistics-about-wordpress-usage

If Java is the COBOL of the 21st century, PHP is its RPG... ;-)

Mapper? Mimer?

The reasonably good news here is that PHP code tends to have a rather short life-span so the bulk of it should die off relatively fast once there is an actual alternative.

That's the puzzling bit: even Ruby, python and all the other 'better' languages still don't have the deploy situation worked out to the point that PHP has.

Well, considering the fact that PHP post v4 is trying to become Java, it made sense that at some point it would be able to run on the JVM or its step-cousin CLR.

By the way, does anyone know of a similar project where the JVM is targeted instead?

Quercus was (is?) an attempt at doing PHP on the JVM, it's been many many years since I last looked into it. http://quercus.caucho.com/

"project zero" was an effort from ibm to run php on jvm, but it's been several years since anything was done (have to assume it's abandoned).

i remember in 2003 wondering if something to allow php to run on jvm would be useful/viable - couldn't convince too many folks in the local user group that the idea had any merit.

j-php - but they don't try to be able to run existing apps

I can't file an issue on GitHub but the project is missing the license and the WordPress standard copy seems to have been removed.

We disabled issues for now, but thanks for pointing this out. Just added the license to the peachpie-wordpress repository.

Cool idea. How is the performance vs PHP?

Check out Ben Adams' benchmarks at https://github.com/benaadams/PeachpieBenchmarks

We haven't benchmarked WordPress yet, as we haven't even started doing any optimization work. It's faster than expected though, but we'll produce a proper benchmark soon.

They have benchmarks here: http://www.peachpie.io/benchmarks

The last one is probably the most useful and impressive.

As mentioned by sibling, not WP-specific, and benchmarks often lie, but better than nothing.

But why?

This is a great way for Microsoft to show the potential of and build awareness for .NET core, I hope they are helping these guys.

The nuget thing is inefficient, MS should plot a path to make npm a first class citizen in all ms tools.

>NPM is already supported by default for quite some time in VisualStudio

I should have been more clear. I mean MS should work with Node/LAMP people to invest in one package manager more than the other. Like they did with TypeScript, they didn't just build a tool that linux people never used, they made useful tooling and also spent a lot of time bringing Google and others into the fold.

It makes sense to back npm because (guessing) it's used more than nu-get is used by VS devs. However if nu-get has a stronger ecosystem, stronger user base, etc choose it.

Having competition is usually good, but sometimes it just means it's more work to have to learn more/work more to get the same thing done (if you work across environments). Take instant messaging protocols, lots of competition but not even having cooperation has made the result terrible. Incompatibility everywhere, reinventing the wheel, etc.

To be sure some things are better not unified. We have multiple, un-unified browser engines and implementations which is critical. It improves competition, innovation and quality while still allowing surface level standardization in html/css/etc.

I try to look at each set of competing projects independently and ask: Overall is this helping, or it is mostly just wasting time as clients are forced to learn multiple techs.

Why on earth would MS want npm to replace what is one of the better parts of the .Net world?

No, please, no. It'd be nice if somebody would get back to maintaining nuget packages for front-end stuff, the way it was a few years ago, before everyone collectively threw in the towel, shrugged, and said, "I guess npm isn't that painful. You know, compared to having forks shoved in my eyeballs, it's quite nice."

That would require a filesystem that can handle node first.

How is nuget less efficient than npm?

NPM is already supported by default for quite some time in VisualStudio.


PHP is about to face Embrace, extend and extinguish?

Shared Apache+mod_php+MySQL hosting turns out to be impossible to extinguish…

Yes. I had hoped node.js would fill the role of a cheap generic hosting platform with taste. But while it works well for me on VMs/cloud, managed hosting for node.js is nowhere near PHP in terms of ubiquity.

I'm not sure if your "joke" is relevant. .NET core is open source: https://github.com/dotnet/core

Things have changed a bit since the J++ days

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact