As someone who prefers PHP in general and find the TC39 committee has kneecapped the JS language in the past few years...
> PHP has a vastly simpler toolchain
Firmly disagree.
You can install Node and have a basic server running in a few seconds.
PHP requires installing and setting up a server tied into FPM and then reconfiguring a slurry of bad defaults. If you don't avoid the footgun of "traditional" deployments, you get to deal with mixed versions of source. If you don't avoid the footgun of "native" sessions, you get to deal with INCOMPLETE_CLASS errors galore.
And if you want a dynamic frontend, you're still going to want to bust out JS.
> I can't find any reason why I wouldn't use PHP instead
Using a single language for both frontend and backend with (largely) the same availability of tooling and the ability to share code (i.e. type definitions).
> generally better runtime performance
I find this hard to believe? Intuitively, I would assume that the Node / Bun engines are significantly faster than PHP - which doesn't even come with it's JIT enabled by default on the (perfectly valid) note that backends are almost always constrained by DB times.
> a package ecosystem with Composer that isn't overrun with inane vanity projects and supply-chain vulnerabilities.
Functionally, Composer is worse than any of the NPM package managers IMO. PHP's global, shared namespaces preventing monkey patching and nested dependencies is a huge burden when you need to use Lib A and Lib B, but both have conflicting dependencies on Lib C.
But the only reason it doesn't suffer (as many) supply chain issues is two-fold:
1. Packagist's source of truth is the repo and tags. It's much easier to notice a Github account being compromised, which is already harder because it's always had better account security expectations, than NPM. But this comes at costs - such as being unable to rename a package in-place, because Composer gets really confused when it clones a trunk that has a different name than what you asked for. And it's not intrinsically more secure, since tags are not immutable and people can host on less secure VCS platforms.
2. But more than that... it's just less used? The PHP ecosystem is noticeably smaller and has way less happening.
Or FrankenPHP, or hell, there's still even good old Apache. Or avoid the SAPI interface entirely with servers in PHP like Workerman, AMPHP, or Swoole. FPM is entirely too fussy for me to bother with: its error handling is atrocious (restarting in an infinite loop with no backoff is common), and no one really knows how to tune it.
Those are great solutions for production deployment, but to the previous commenter's point, for iterating on your local machine during development work, nothing beats just running `php -S`.
Launch the interpreter's built-in dev server in your project directory, load up localhost in your browser, work on your code, and testing incremental changes locally is just a matter of hitting F5.
I’ve been using PHP for over a decade and have never used FPM.
“Using a single language for both frontend and backend with (largely) the same availability of tooling and the ability to share code”
Is a negative I went backend world and front end world to be different because they do very very different things.
“But more than that... it's just less used? The PHP ecosystem is noticeably smaller and has way less happening.”
That’s not true, PHP is less resume driven development and actually about productivity. I’m really happy narcissist hate PHP and don’t burden it with their garbage and slopworks.
Can you explain to me how this isn't considered outright fraud? The SEC has rules specifically around the lifetime of a company / ticket in terms of things like inclusion in indexes and retirement accounts, right?
How does allowing this not simply encourage a world of, basically, stock market karma farming: making bullshit barely company companies, just to sell the ticket so they can be used to engage in a pump and dump scheme with the little wealth the working class has left?
It is not my field either except for amateur interest. My understanding is that because they are publicly disclosing it to investors, it's not fraud in the legal sense. Fraud requires deception. It could be that they do genuinely believe that their expertise in shoe selling translates to expertise in AI infra.
If you agree (or think that enough people will agree to increase the value of the stock), you can buy the shares. If you don't, you aren't forced to buy it - and as a penny stock with a market cap of $21MM, nobody's index fund or pension is going to be forced to buy it either.
The stock market sort of _is_ just karma farming - building belief in your company vision so that investors bring capital. Nearly all companies trade at a positive "P/E ratio" - that is, the price of a share is on average 10-20X higher than their current earnings - the difference representing pure belief that the company will earn more in the future.
The regulatory guardrails around it are not perfect, but striking the balance between allowing the public to participate in the growth of successful companies in a dynamic economy, and protecting them from scams, is a fine line. Being able to invest in publicly traded companies has made many middle class and working class people wealthy, the regulations do work for most people to keep them out of trouble while allowing them to participate. The people who get hurt are the ones who trade penny stocks like lottery tickets, which is less a regulatory failure and more the impulsive behavior that drives any kind of gambling.
Pretty sure they were pointing out the absurdity of Gonzales v. Raich (545 U.S. 1)... But that really is the holding of the US Supreme Court in that case.
We officially threatened to invade Greenland (and therefore the EU) and Canada. The former we threatened again, what, two days ago?
Not to mention the tariffs against our allies we levied. Or the fact we personally insult them from our highest office WRT things like calling their dead service members cowards.
They're not going to just forget how the US population and half it's legislative body just... Doesn't care at all. Will just let all of this happen.
On this planet, humans have read HTML without parsing for years. People building their first websites without any significant technical knowledge stole HTML by reading the source of other sites and edited it by hand.
Oh, please. Don't insult everyone here by pretending you actually believe HTML is a human readable format like markdown. It was never designed for that and has never claimed that.
It is. Humans do read it, and have read it. Like any language it's just a matter of familiarity.
HTML was designed for humans to read and write long before Claude or compiling everything from typescript or whatever, when websites were all written by hand. In text editors. Even if you were using PHP and templates or CGI you wrote that shit by hand, which meant you had to be able to read it and understand it. Even if you were using Dreamweaver, you had to know how to read and write HTML at some point. WYSIWYG only gets you so far.
Is HTML more difficult to read than Markdown? Sure. It is impossible? Not even remotely. Teenagers did it putting together their Geocities websites.
You can be as snarky as you like, but facts are facts.
I don't think they were appreciating that HTML could be read unrendered. I think they meant that it was up to the browser to render HTML with sensible but unspecified or otherwise user-specified styling (the browser is supposed to be a "user agent", remember?) before web designers started aiming for pixel-perfect control through CSS.
Especially after the double-tap on civilians and first responders the US just did on that bridge. Or the threat for no quarters from the secretary of defense. Or the threats to destroy critical civilian infrastructure for water or power.
I can't believe you are making me defend this guy.
It is creepy as shit and I wouldn't allow him near my kids, but there is a very specific legal definition of pedophile and looking isn't the same as touching. It dilutes the term when you use it the wrong way.
> Pedophilia is defined as a sexual interest in prepubescent children.
When they touch them they're not a pedophile, they're a pedophile molester or a pedophile rapist. It has adds an additional word.
He likes looking at children in states of undress. He's a pedophile.
And, if dozens of people are to be believed across multiple lawsuits and 30,000 files at the FBI he's going to literal war to hide, he's a pedophile rapist too.
>It is creepy as shit and I wouldn't allow him near my kids, but there is a very specific legal definition of pedophile and looking isn't the same as touching. It dilutes the term when you use it the wrong way.
Then why wouldn't you allow him near your kids? If he isn't legally speaking a pedophile, what would you be worried about?
If it were the case that "looking isn't the same as touching", child porn wouldn't be illegal. Trump is a pedophile because he's attracted to underage girls, he isn't not a pedophile if he looks but doesn't touch.
And there is a mountain of (granted circumstantial) evidence from the Epstein files that have been released to suggest he's probably done more than just look.
He's already been found liable for sexual assault, and I don't doubt a case for pedophilia could stick if the standard is beyond a reasonable doubt - he drew a picture of a naked girl on a birthday card for Epstein FFS. Just his conspiracy to keep the Epstein files hidden and protect anyone culpable (in his party) alone would put him in jail until he died if SCOTUS hadn't decided that anything a sitting President did while in office was legal.
Unfortunately he's going to die a free and wealthy man, and be buried with honors. All we can hope is that he does it soon and that he soils himself on the way out.
From every instance I've seen, Proton has only ever done what is legally required of them by a warrant. They do not get to say no when asked to turn over what they do have; which is going to be things they can't avoid storing - like email addresses or recurring payment information an account has.
But they don't store logs and all actual data is E2E / at-rest encrypted, so that data does not exist for them to give away. There's no master key or back doors.
The problem is the gap between marketing promises and realities. Proton markets itself as a safe Swiss product[0] for activists[1], but the reality is their accounts often expose more than a casual user may expect, like a secondary email address[2] (often required to sign up) or payment info[3]. The Swissness is even more suspect according to this article, if it's true that they rely so heavily on American infrastructure and don't responsibly disclose this even in their privacy policy.
This seems unreasonable. The entire point of Proton is that they themselves cannot access your data, that's how I've seen it advertised. The Swiss thing is more just that they can't be compelled to enable logging. (To be fair, though, maybe that's changed. it's been a while since I saw their home page and I don't exactly make a habit of disabling my adblock).
But I don't see how any reasonable person would not know that the email addresses and payment information that Proton must have access to would therefore be subject to disclosure to law enforcement. And for the vast majority of people, they aren't exactly on a tight watchlist where intelligence agencies are making thread boards to catch them committing for international crimes to make this matter.
Anyway, I especially don't understand the flack they get on this forum with people who do understand and should understand how hard it is to advertise technical features to normies.
Normal people aren't cyber criminals who needs to hide every spec of their trail from all governments. They just want to feel like no one is reading their messages or Internet history or passwords. Proton offers that, full stop.
A recovery email address is your data, and a company that prides itself on encryption could figure out a way to hash it too. Maybe I'm just below average here, but I expected that from them at a minimum. I was shocked to discover they didn't bother.
It's not unreasonable to think Proton should significantly tone down promises like "We support peaceful protest" while seriously downplaying what they will turn over[0], or promising "We are... committed to defending your freedom" on their homepage[1]. It's certainly reasonable to have a complete list of data processors in their own privacy policy.
Proton cannot destructively hash the email address for recovery because they need to use it. And if they can use it, they are legally mandated to give it to LEO in warrants that include that data as scope.
You can argue they should have a password the user holds to encrypt the recovery address, but that's going into the territory of hurting normal users. You use a recovery address when you don't have your password or recovery phrase. Requiring a password for the recovery email would just mean more customers locked out requiring human intervention (if it's even possible for that account) to get access back for the customer. And remember, many users also use the same account for their password manager.
And no, Proton is 100% welcome to publicly support free speech and protest while not destroying their company and going out of business with all their executives jailed for not complying with non-optional, legally required, minimally exposing warrants from law enforcement.
Proton can claim what they want, but when they promote themselves as supporters of peaceful protests while quietly handing over account details for people engaging in them, that is false advertising.
If proton hashed your email how the fuck would they send you an email? Did you even think this through?
They're doing the best they can, but at the end of the day it's literally impossible for them to have absolutely zero data.
They need your credit card number stored somewhere so they can repeatedly bill you. That's just how billing works. They need a recovery email on file so they can email that address.
That doesn't mean that they're not committed to defending freedom.
I'll echo what other people have said: this feels like a psyop. If I were the CIA, I would be doing exactly what you're doing here: spewing unreasonable nonsense about proton in an effort to discredit it so that I can push people towards insecure services.
Nothing even comes close to proton when it comes to email security and privacy. That doesn't mean that we cant criticize proton - we can, and we should. But it has to be legitimate critique.
> If proton hashed your email how the fuck would they send you an email?
By asking you to provide it again if you click the "recover account" button, comparing what you enter against the hash, and then sending recovery into to the valid email you provided
This isn't much comfort when the swiss government bends over and takes other states up the ass at the slightest issue, eg https://www.404media.co/proton-mail-helped-fbi-unmask-anonym.... Why on earth is the swiss state acting like stooge for the fbi? Tell them to go fuck themselves like a normal person.
PGP/GPG (can never remember the difference) is the only privacy solution worth a damn and proton is just a gmail alternative with a nice interface.
If they advertise that they will protect their users privacy, then I don't see how complying with government snooping is an excuse. Either provide what you say you will or don't say that you will provide it.
Proton has never said they will refuse a warrant for what your email address or recovery account are. They say that the contents of your emails, calendars, notes, passwords, etc are not accessible to them and therefore cannot be spied on even if a warrant is fulfilled.
Why? It's very likely we will never get a "proper" KSP 2. And that was pretty clear from KSP 1 through the acquisition to the multiple studio transfers
> PHP has a vastly simpler toolchain
Firmly disagree.
You can install Node and have a basic server running in a few seconds.
PHP requires installing and setting up a server tied into FPM and then reconfiguring a slurry of bad defaults. If you don't avoid the footgun of "traditional" deployments, you get to deal with mixed versions of source. If you don't avoid the footgun of "native" sessions, you get to deal with INCOMPLETE_CLASS errors galore.
And if you want a dynamic frontend, you're still going to want to bust out JS.
> I can't find any reason why I wouldn't use PHP instead
Using a single language for both frontend and backend with (largely) the same availability of tooling and the ability to share code (i.e. type definitions).
> generally better runtime performance
I find this hard to believe? Intuitively, I would assume that the Node / Bun engines are significantly faster than PHP - which doesn't even come with it's JIT enabled by default on the (perfectly valid) note that backends are almost always constrained by DB times.
> a package ecosystem with Composer that isn't overrun with inane vanity projects and supply-chain vulnerabilities.
Functionally, Composer is worse than any of the NPM package managers IMO. PHP's global, shared namespaces preventing monkey patching and nested dependencies is a huge burden when you need to use Lib A and Lib B, but both have conflicting dependencies on Lib C.
But the only reason it doesn't suffer (as many) supply chain issues is two-fold:
1. Packagist's source of truth is the repo and tags. It's much easier to notice a Github account being compromised, which is already harder because it's always had better account security expectations, than NPM. But this comes at costs - such as being unable to rename a package in-place, because Composer gets really confused when it clones a trunk that has a different name than what you asked for. And it's not intrinsically more secure, since tags are not immutable and people can host on less secure VCS platforms.
2. But more than that... it's just less used? The PHP ecosystem is noticeably smaller and has way less happening.
So its very much trade-offs.
reply