 I'm using a new slide deck. I don't know how to make it full screen. So hi, my name is Kai Hendry. You've got to track me with that camera. I'm over here now. Oh, still. So you guys all run PHP on your hosts and whatnot. What version of PHP do you run? You know what it is? Six different versions on six different servers. I think that's a good example of what a bloody nightmare it is. And this is the problem I have, too. And anyone who hosts PHP apps, you must be aware that probably one of your instances is running maybe a vulnerable version of PHP. And that is a terrible situation. I've known some big corporates to run some sort of clever firewall before you hit the PHP to filter out all the sort of attacks on that old version of PHP. But still, that's not a very performant way of going about things. So my browser that I'm running this presentation from, you can view it yourself on torx.webconvergid.com. Well, they might. The browser nowadays that I'm viewing this presentation from, that updates, itself updates, a reboot machine. It's got the latest version of Firefox or the latest version of Chrome. But PHP doesn't. So evergreen means that it keeps up to date. I think that's like a newish sort of industry term. Did you guys know what evergreen was? Did anyone know what it was? It would be over trees. Yeah, you would think it would be something to do with trees. But unfortunately, that term has been hijacked. So basically, what I want to talk to you guys about is how the hell do we keep our PHP instances up to date? Because that's my problem. It's your problem. I actually don't have the solution. I'm just going to talk about the problem. Sorry. I have screwed up, haven't I? You can go to sleep now. Well, I just wanted to obviously say that PHP historically has had Linux Apache and MySQL as the little compatriots. I mean, do you guys run MySQL or what do you use? Oracle or some horrible database? Is anyone crazy like me that runs everything off like a file system using Git? Or use just S3 or something like that? You're crazy. I'm so crazy. And I tell you what, my thing will outspeed your app by a long way. And Apache, most people probably have switched to Nginx. How many people are using Apache? How many people are using Nginx? OK, I'm going to say half, half. Whatever. Should be using S3. No, I'm joking. OK, that's boring. So let's talk historically. Back in the good old days in 2005, when I was just 15 years of age, back in the good old days, can you remember those days when we had Dreamhost? Dreamhost was such a wonderful host because they were cheap and you could just upload your PHP files there. And it would just work. And they even threw in a database and it had this lovely UI which got clunky and clunky over time. And the brilliant, brilliant, brilliant thing about this is that they updated PHP. Oh, yeah. I don't have to do it. They do it. So it was actually really easy. I mean, I still have some old PHP apps hosted on Dreamhost for about 10 years. They just sit there. They are working and they are running with the latest PHP, all good and well. That's how it used to work for the most part. Maybe, I mean, who still uses the shared hosting approach to get their PHP apps live? Come on, there must be some idiot. No, it's actually. To be honest, this is the best way to do it, in my opinion, because the whole thing is maintained. I mean, I've got loads of little apps. This is actually the best. And now we're going to go fricking downhill, guys. Come with me to the journey of horribleness that we are today. Today, we have these things called Virtual Private Service. Also there. I can't wait on the server now. It's brilliant. It's brilliant. And it only cost me $10 a month with DigitalOcean. Oh, yeah, yeah, yeah, yeah. I'll install Debian. I don't know what the F I'm doing. I'm just going to install Ubuntu. And then people install Ubuntu and Debian. And then they never update it. And even though it's a pro, it's like myself. I'm a pro. Even I don't even log into my server and do a dis-upgrade from time to time. So what we're left with is like a vulnerable out-of-date PHP instance. It's a mess. And this is what most people are probably doing. Who uses a VPS? Do you actually upgrade it? It's a disaster. Is there? And it's not just that it's not maintained. Someone's not looking after it anymore. That's just PHP. There's a raft of other tools on that VPS that's probably not maintained. And who maintains your firewall? Do you probably even don't even bother for the most part? I mean, it's kind of a crappy situation that we are in today. But it's going to get worse. Oh, yes. It's going to get worse. Welcome to the cloud. Oh, my god. Now we have VPS. We have the simple solution. We have the, oh, god. It's getting bad now with the VPS. And now we have the cloud. The cloud is expletive, expletive, ton of expletive complexity. It is crazy what the cloud is typically required of a developer. You're supposed to now have this scalability mindset. You're supposed to have your data in databases that can easily replicate. You're supposed to now use a load balancer. You're supposed to design your app so that they can be easily destroyed and brought up again. You're now supposed to think about different sort of file systems like you have to, maybe, if you use Docker. And, well, there's some good things and there's some bad things. But for the majority, I would like to argue that this is extremely complex. Does it solve the problem of keeping your PHP app or your PHP interpreter or whatever? PHP runtime, sorry. Does it solve the PHP runtime up-to-date problem? Yes. How? Because usually you can just kill your instances in the. But that's a bit lame. So, oh, I want to update to the new PHP. So I need to tear down all my instances, bring them back up again. That sucks, though. And it's really, really complex to keep them all going. You automate that. That's what Chef and Nets do. And then that's another thing you have to write. Oh, I have to use some Chef Ansible Sort of Automation thing. So just imagine, if you're like, just imagine. Just imagine that you just have a simple form and you're just submitting that form and it's sending a mail that you're just collecting people's email addresses. Oh my god, if you had to create something like this, just to collect email addresses, obviously people just end up using Google Forms or something stupid. But no. This is not a great solution for keeping everything up to date. I hate it personally. I find it very, very complex to do that. I mean, how do you update your PHP? How do you just use a Docker image with up to date PHP? Or do you build everything from scratch? Well, it depends on the setup. How do you make sure your PHP is up to date? I don't. No, I mean, as I said, you re-covid in the history of it. Where the crap's I need to drink? Can I just drink out of this? I'll tell you a version that we have in common. Every quarter, somebody will accept it and says, you know what, we need to upgrade our PHP and the other packages. So we basically restart from base AMI, do the updates. Hope that the application works. It doesn't ever. So then we say, you know what? We put it into the pipeline. And six weeks later, somebody gets time, renews the entire testing, and then if it all works, then we just print that image into production. Oh, so you build an image, you test it, make sure it works, and then you roll into production. That is the typical cloud way, I guess, of doing it. But if you're just updating PHP, that is crazy. Come on. That is nuts. It's so heavyweight. Well, the processes have become in this new found age that we live in. So, OK, I'm going, I'm ranting here, but let's think about what, OK, sorry. So how do we solve this problem? Well, I list some points which I think is important. I would like to update my container, my instance of PHP. I would like to update it and have no downtime. And that's quite easily possible with PHP, because PHP usually runs in like fast CGI. You know, it answers a request. It's about eight PHP instances running in fast CGI or something like that. It answers, and it answers each process handles a request. And once it's done the request, then the process can die and start again or something like that. So it should be easy to upgrade PHP, but obviously there's a whole lot of other stuff. So I would personally like it to upgrade on the same machine easily. I also would like diffs everywhere on my system. If PHP updates, I want to see the binary. I want to see, like, you know, I do get status. I want to see that the PHP binary changed. I want to see the Shah-Wan Sam. I want to see the version. And the same goes with other stuff that's not PHP. I mean, I don't know about you. I didn't say why I use PHP. I use PHP largely because it's like a single binary, pretty much. You know, if you're using some, if you're using like Node.js, you have a ship-expletive ton of dependencies. With PHP, it's like one binary. Sweet! Unfortunately, we after that somehow. Another thing I want, I just want to run it off one instance. I don't want to have a cluster of five freaking containers and swap them out and test them and think, I think that's nuts. I just want one container and I want good backups of that data. Another thing that we need nowadays is, like, easy setup of SMTP. Usually, that's a bloody nightmare. You know, setting up SES. Come on, that takes a whole day. A whole day! Come on, let's... I'll shoot someone if it's... 10 years ago, if a developer came to me, oh, I just set up email today. What are you fucking doing, sir? Took you all day to do that? It just worked before. It just worked. And obviously, we need cool things nowadays, like monitoring your app is actually up and functioning. And honestly, I want to maintain a low barrier to entry. The old dream host days, you just uploaded your PHP file. Whoa, whoa, whoa, look at it now! Check this out, guys. Look at this link. Now we're expected to do this. Holy moly, no way. No way. And obviously, some good logging would be good. And so, yeah, I've just gone crazy in front of you guys. Just trying to show you that we are in a bad, bad place right now. And really, I want these problems to be solved in my... I run, like, four or five PHP servers around the world. It's like, it noises the head out of me that I'm expected to do this. No, thank you. I want something simple. I want something like this. Actually, I want to go back to the old days. But I mean, what are the problems of this solution is obviously you don't quite have root and you might be limited in some way or form. But to be honest, and also finding good PHP hosting, who the hell does that in this country? Silence. I'm honestly thinking of setting up my own PHP host and saying, look, instead of maintaining your own operating system, which you're probably going to eff it up, use my host. And I promise to keep it update for you. And I'll even make sure mail works without you spending a day configuring it. So I hope you have the same frustrations as I do. Because you should be worried. You should be frustrated. Because if you're not, then you're probably hosting some crapware that can easily be hacked. How many security issues have actually come up in PHP itself? Quite a few. I don't know when the last remote one was. There's not any PHP. I mean, it's not just, well, yeah, obviously, it's the scripts that are the worst things. But I mean, it's not a big deal. I mean, there has been a past security thing. But it's just like. And you can't keep it update using your distro. If you're using distro bundle PHP. Distro bundle, what's that? I mean, if you're using. Like, dist upgrade or something, or Pac-Man. But no one does that. I mean, I do it. And I'm like, I'm freaking lazy about it. I notice other people are like, what freaking old version of PHP are you running there, dude? Even then, the absolute or young packages are usually like one version behind. It's nuts. Then again, I must say, the new versions of PHP do suck. I mean, object-orientated programming. Who needs that crap? Honestly. So, yeah, I would like, OK, I mean, if someone said to me, oh, Kai, I have the same problem as you. I can't sleep at night. I'll say to you, maybe we can build a solution. Maybe we can think and reduce complexity. Because that's what a good, the difference between a good programmer and a bad programmer. A bad programmer adds complexity. A good programmer reduces complexity. That's what you always got to remember. And right now, it's, ugh. Shouldn't a programmer not have to worry about all these things? As a programmer, you kind of need to worry about it. Because that's the environment you've got to work in. I mean, I care about my environment. It's like, you know, it's like I go to a fancy hipster coffee place because I like the environment. Do you want to sit on a concrete floor? I use Google App Engine and it gives most of these stuff. For me, I don't have to worry about it. But App Engine doesn't have a host in Singapore, does it? Dude, if you don't have your host in Singapore, you suck. I mean, assuming you have Singaporean customers. Beanstalk, then. Elastic, what do I mean? Elastic Beanstalk? You're in Singapore region. OK, but does Elastic Beanstalk, OK, you choose like an app, like PHP app, and then you do your thing? I think you write a configuration, right? You have to ask me, CX, but you write a configuration file and put it in your app. And if you're using Amazon, AMIs, default AMIs, they're a bit automatically. Do that? Yeah. Well, I use the Amazon AMI, it doesn't update? Elastic Beanstalk is OK for that sort of thing. You don't have to control the virtual host, I think, so then if you want to control the virtual host, you end up using your own AMI, in this case, there are the same problems. Which is that you're going to keep the AMI update. Yeah, if you're using custom AMI, custom installation, then you have to worry about that. Sorry, yeah, of course. Security, the main concern about shipping the PHP out of the app, I'm quite not saying why I'm so worried. Why am I worried? No, it's important just to be on the latest stable version, yes, for security issues, mainly, I guess. And also just, come on, I can't think of the reasons, but they're probably other ones. If I have an application that runs perfectly well on 5 and 4 or something, and it's running for years, what's the motivation for me to keep up? Well, if you don't keep up today, then one day there might be a security issue, and your app works great on 5.4, and it doesn't on 6, and it sure as hell won't, or something on 7, you need to keep, it's just being sensible. It's like, you could probably apply the same argument to browsers, it's like, I have Internet Explorer 6, it's a freaking awesome. I'm browsing the web, guys, it's fast, and everything. I think one of the reasons to keep is between 5 and 3, 5 and 4, 5 and 5, the performance improvement is very huge. So for my point, I have a perfectly good application, running well, you keep it up on 5 and 4, and it's going to last a few years. Is 5.4 even, is that a vulnerable one, or is it? It's a security fix only, kind of way. Is it a security fix? It's a security fix only. So he's safe? No, I mean, they fix it only if there is a security issue. Other than that, there is nothing else. If you have that level, but you just have a vulnerable one, fix it. Well, you could apply the same argument to Internet Explorer. I mean, if it fits you well, I mean, no. No, that's different, too. If your application works on 5, on 4, you get security updates, you can leave it. I mean, the applications are going to change. OK, I suppose so. So are you using like Debian stable, and how do you lock into that version? You just do it, but like this, you must have a whole bunch of your other parts of the system that are potentially vulnerable if you don't upgrade the whole system, or you just don't upgrade PHP. If you don't upgrade anything, you just set a firewall then. OK, that is one approach. It probably has some merits, because A, it's f-ing easy. But B, it's going to be- If you're a large corporate entity like PayPal, or I work with a company called FooPen, we have all these corporate internal applications which are completely shitty, and I'm guessing that they've done something like, you know, Britain in 2006 or something, or Internet Explorer in 2006, I guess. And just to answer that, they don't want to touch it. That's a bad attitude. You've got to be more proactive. And there are reasons which I can't think of right now. Yes? I have a question. I moved all my production sites from share hosting to the VPN. Oh, you went from the hardware? You went from the goods? Yeah. I was helping with the share hosting, but I moved to all my VPNs. Oh, jeez. And then, however, one day, the share hosting the company called me, and then they suspended all my account because all my site, because my PHP script usage exists at like 20% of CPU utilization. So that caused my business. Then I learned all the hardware, and I set up a VPS. But I don't need to worry with my VPS. Yes? Of course, PHP question will not be agreed at. But at least, I don't need to worry that someone got controlled to all my production. I guess there's better security isolation of VPS. But the containers, I agree with you. I agree with you. I mean, share hosting had problems. Like, we dream of share hosting until, you know, that they arrive. But dream host, like for example, if I had a vulnerable app running on my home directory, WS got something, something, and someone actually managed to hack it, then they can get into my home directory, which was a bit stupid. But I think they changed that. But is your VPS up today? I mean, you're very happy with your VPS? No, not at all with the data hosting. Because the data hosting also, because they have VPS quite cheap, I was happy. But one day, they told me that my VPS, like, because of security, my VPS, now what they suspect, then they suspect my VPS off. Oh, well. So like, then I scared, then now I moved off to Amazon. Then, so far, OK. Yeah, well, OK. I don't want to talk about VPS hosting stories. I want to just concentrate on how to keep the PHP up today. Sensitive. I don't think the VPS, I mean, your PHP, is it like, do you know what version you're running? You have an old version? Mostly, like, last time is, I normally, I don't care about version to be honest. Like, whatever the version I use in development, I use the same version in production, because this is a version that has more questions. Until I test all my version with a new version, then I can migrate. But mostly, like, somehow you're right that, of course, there are one type of person that my version is already... Yeah, and it's not just PHP. There's other bits and bobs to your system, like, I don't know, the kernel and web server and all that other stuff that needs to be... I'm not sure about that, but for me, as long as my, you know, code is functioning and it is working, I really don't want to dash... I'm not too sure about this whole... I mean, I prefer to be bleeding edge, maybe that's all to keep on the... What's a bleeding edge? Bleeding edge is not the right term, it's called the rolling... I prefer to be on the rolling release edge. Yeah. When you freeze, I've done that for years and I just don't like it, it's just... There you go. It's always some huge jump that you need to make sooner or later. I don't know if the site is always, you know, active and active, but sometimes, like, we've got some small application or some customer, a customer is happy with what they have right now and they don't want to dash and they don't want to... Yeah, and then you get... I don't like this, every web app, every app, I mean, anyone who knows software, you know, you've got to touch it all the time, you've got to massage it. I wish you... You've got to... Otherwise, it is crapware. I don't want to make crapware, I don't want to maintain crapware, I don't want to work with crapware, so it's... That's the beauty, you don't have to maintain it. Well, they... When you hand it off, they're not going to maintain it. Any other questions? Okay, I think the PHP 7 guy, you're in. What glorious bloatware are you going to come up with next? All right, thank you, Kai.