PHP Podcast – April 30, 2026 Hosts: Eric Van Johnson & John Congdon Another fun episode of the PHP Podcast! Here’s what we covered: The Drone Slayer Strikes Eric and John wrapped up a Padres game at beautiful Petco Park in downtown San Diego — and things got weird on the way out. A rogue drone started buzzing around a busy intersection, lingering on a guy on a scooter, before making a fateful attempt to fly in front of Eric’s car. It did not make it. The controller came running out, Eric kept driving, and John has already dubbed him “the drone slayer.” Eric still hasn’t looked at whether his wife’s car got scratched, which feels like the bravest choice of all. Baseball Week Never Ends The reason today’s episode started an hour early? Baseball. John’s week was wall-to-wall: a Tuesday night little league game, the Padres game with Eric on Wednesday, practice Thursday night, the playoff draft reveal Friday, a little league game Saturday, and another Padres game Sunday. Eric pointed out John was wearing his own last name on a jersey to a Padres game, which opened up a whole sidebar on why anyone buys a $200 jersey with a player’s name on it when players change teams every two years anyway. Walking Pneumonia and the Power of the Right Antibiotic John’s week was also scrambled because his son had been diagnosed with regular pneumonia — but after not getting better, a second doctor visit revealed it was actually atypical (walking) pneumonia, which requires a completely different antibiotic. Once on the correct medication, his son bounced back almost immediately. The kid had been pushing himself trying to feel well enough for sixth grade camp, but there’s really no faking it with the wrong treatment. The Archie Situation — AI Standups Gone Sideways Eric has had a rough stretch after Anthropic shut down OpenClaw, the platform that powered their internal Discord bot Archie (a.k.a. Alfred). Archie had been running daily team standups, generating weekly summaries, letting team members tag it with updates throughout the day, and even setting reminders. Everyone got spoiled by it. Since then, attempts to migrate to Ollama — both locally and through the web service — have been plagued by slow response times and dropped messages. Eric is close to pulling the plug and going back to the old manual method, and he’s not happy about it. Claude SSH’d Into Eric’s Server and Fixed Everything For weeks, Eric had been fighting a broken Postiz Docker container — a self-hosted social media scheduling tool he uses to post across platforms. After updates broke it and multiple attempts at a fresh install still left it broken, he dropped the problem in Claude’s lap and explained the whole situation. Claude asked for permission to SSH into the remote server on Eric’s Tailscale network, and Eric said sure. Thirty minutes later, Claude had identified the culprit — a Temporal workflow engine losing its configuration on restart — wrote a fix script, configured the service to reconfigure properly on boot, and even set up a cron job to restart the container on reboot. Eric’s still trying to find that chat to review exactly what it did, but the service is running. GitHub is Getting Hammered by AI Agents GitHub has had a rough patch of outages, and the numbers tell the story: 20 million new repos per month, 1.4 billion commits, 90 million pull requests — with a dramatic spike right at the start of 2026. Part of the culprit? AI agents being unleashed on codebases to automatically open pull requests from backlog tickets. Eric has a client doing exactly this, and while it sounds impressive from the owner’s perspective (“look at all this work getting done!”), the developers on the ground report that a high percentage of those AI-generated PRs require significant human correction before they’re anywhere close to mergeable. The comparison to Reddit’s early explosion — and the one engineer who basically didn’t sleep for two years — felt pretty apt. The GitHub Security Vulnerability Nobody Talked About As if the outages weren’t enough, GitHub quietly disclosed a serious security vulnerability: a specially crafted git push — using malformed options in the push metadata — could allow arbitrary code execution on GitHub’s own servers. Eric had to dig to find the blog post because GitHub was not exactly shouting about it. To their credit, they state that their investigation found no evidence the vulnerability was ever exploited in the wild. But knowing that a specific sequence of bytes in a git push could have handed someone the keys to GitHub’s servers is genuinely unsettling. The Creator of Ghosty Is Leaving GitHub Mitchell Hashimoto — creator of the Ghostty terminal and formerly of HashiCorp — announced he’s leaving GitHub, where he’s been a user since 2008 (user #1299). This comes shortly after the Zig programming language made the same move, also citing reliability concerns. Eric was mildly skeptical of the “announcing I’m leaving” genre of posts, pointing out that GitHub doesn’t especially need your permission to stop using it. Notably, Hashimoto’s post doesn’t say what he plans to use instead. John joined GitHub in 2009, which led to a fun live expedition through his commit history — turns out he got serious about coding right around July 2013, roughly when DiegoDev landed its first client. Update Composer. Like, Right Now. PHP developers tend to set Composer up and forget about it — but there’s been a serious security vulnerability patched in a recent release that you absolutely want. The fix is simple: just run composer self-update. It updates in place and keeps a rollback copy in case anything breaks. While you’re at it, if you have global Composer packages installed, run composer global update to catch those too. Eric noted that Composer should really warn you when you’re significantly behind versions, the way Claude Code does. Until it does, just make a habit of it. Linux Kernel Exploit — Patch Your Servers A CVE was shared in the phparch Discord that affects Ubuntu, Amazon Linux, and Red Hat: a Linux kernel exploit that lets an attacker gain root access with a remarkably small payload — around 732 bytes targeting setuid. It’s a good reminder that the old sysadmin badge of honor (“my server has 5-year uptime, never rebooted”) is the wrong mentality now. With tools like Terraform and infrastructure-as-code, spinning up a freshly patched machine is the move. Keep your operating systems current, especially Linux servers running in production. Holly Built a PHP Tek App — And It’s Already Good Community member Holly built a native attendee app for PHP Tek, available now in beta on iOS (via TestFlight) and Android. You can browse the schedule, select the talks you want to attend, and it’ll warn you if two of your picks are in conflict — a “merge conflict,” as Eric put it. Best of all, it sends push notifications when sessions you’ve favorited get moved or rescheduled, which happens constantly at tech conferences. Eric’s wife installed it without being told anything about it and figured it out on her own — about as good a usability test as you can get. The app is built natively in Swift and Kotlin. Be kind to Holly — this is a gift to the community. PHP Tek in 19 Days + New PHP Architect Merch PHP Tek is nearly here — 19 days out in Chicago. A brand new PHP Architect elephant is coming (tentatively named Holly, after a live-stream vote). Eric also walked through new merch at store.phparch.com: a v-neck version of the classic rainbow PHP Architect shirt, and his personal labor of love — the “I have standards, specifically PSR 0, 1” tee — which he admits has sold exactly zero copies. If the hotel room block is sold out by the time you read this, reach out to the team directly and they’ll see what they can do. Links from the show: Postiz — Open Source Social Media Scheduling GitHub Security Advisory: Remote Code Execution via Git Push Options PHP Tek 2026 — Chicago PHP Architect Store PHP Architect Discord An update on GitHub availability Migrating from GitHub to Codeberg Ghostty Is Leaving GitHub Securing the git push pipeline: Responding to a critical remote code execution vulnerability Composer 2.9.6 fixes Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176) Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. Host: Eric Van Johnson X: @shocm Mastodon: @eric@phparch.social Bluesky: @ericvanjohnson.bsky.social PHPArch.me: @eric John Congdon X: @johncongdon Mastodon: @john@phparch.social Bluesky: @johncongdon.bsky.social PHPArch.me: @john Streams: Youtube Channel Twitch Connect & Hire PHP Architect Website Twitter/X Mastodon Hire PHP Developers Looking to hire PHP developers? Email support@phparch.com – Joe and the team are available for consulting, infrastructure work, Ansible playbooks, and code review. Partner This podcast is made a little better thanks to our partners Displace Infrastructure Management, Simplified Automate Kubernetes deployments across any cloud provider or bare metal with a single command. Deploy, manage, and scale your infrastructure with ease. https://displace.tech/ PHPScore Put Your Technical Debt on Autopay with PHPScore CodeRabbit Cut code review time & bugs in half instantly with CodeRabbit. Music Provided by Epidemic Sound https://www.epidemicsound.com/ Join Us Live Next Week Youtube Channel Got feedback? Join us on Discord at discord.phparch.com The post The PHP Podcast 2026.04.30 appeared first on PHP Architect.
