Sessions

Open source software is ubiquitous. We fought for its acceptance, and we won. So, why doesn't it feel that way? Why does the win feel so hollow?

With many projects foregoing traditional open source licenses for "source-available" licenses, is open source dead? Are we in a post-open source era?

To find out how we got here, let's look back to the beginnings of the free software movement to discover what made it a movement and not a corporate strategy. We'll consider whether open source has exchanged its jeans and t-shirt in favor of khakis and blue, button-up shirt. More importantly, we'll examine whether this is a greater cultural phenomenon, what it means for the future of software development, and how we can save open source.

The first Law of Ecology: you can never merely do one thing. Actions have side-effects. In this session, we'll explore how changes in software design can have unexpected, profound impacts. In this story-based session, I'll reference both popular and little-known "laws" of computing and life. I'll show how to use these laws to write better software. This session will give you new mental models for thinking about the tradeoffs we make in software...and life.

Developers entering the industry often start by learning frameworks instead of languages. Similarly, senior developers are becoming increasingly reliant on these abstraction layers. And it is true, these layers enable us to build impressive software quickly (most of the time, though sometimes we end up fighting the framework).

However, this increased speed comes at a cost: additional complexity and a shrinking pool of deep expertise. By not understanding the layer beneath, we risk implementing it poorly at the layer above, wasting valuable CPU cycles. The maintenance of these abstractions is often left to a few individuals, creating potential bottlenecks and increasing the risk to the ecosystem's resilience and continuity.

Let's become Software Developers again!

What if we approached software development the way classical musicians learn a piece of music? Drawing from thousands of hours in the practice room, this talk applies a musician’s mindset to coding: using intention, structure, and self-awareness to work more effectively, avoid burnout, and build confidence. We’ll also explore how musicians’ culture of listening, experimenting, and giving feedback can transform collaboration on a dev team. Whether you’re learning a new language or just tired of the grind, you can gain wisdom from the musician’s approach.

Transform your PHP testing strategy with Codeception and Behavior-Driven Development—the powerful combination that turns testing from a developer bottleneck into a collaborative advantage. Join Alena Holligan for a hands-on exploration of how BDD bridges technical and business teams, creating executable specifications that everyone understands.

What You'll Master

• BDD Fundamentals That Work: Move beyond traditional testing silos by implementing Behavior-Driven Development principles that connect user stories directly to automated tests through readable Gherkin syntax.
• Codeception in Action: Get practical experience setting up PHP's most versatile testing framework, from initial configuration to writing robust acceptance tests that mirror real user journeys.
• Multi-Level Testing Strategy: Leverage Codeception's modular architecture to create comprehensive test suites spanning acceptance, functional, unit, and API testing—all from a unified platform.
• Cross-Team Collaboration: Enable product managers, QA professionals, and stakeholders to actively participate in test creation and validation, ensuring requirements are captured accurately from day one.

Live Workshop Elements

• Transform abstract user requirements into concrete, executable test scenarios
• Build reusable test components that scale across projects
• Implement validation patterns for complex business workflows
• Create living documentation that stays synchronized with your application

Perfect For

Developers ready to elevate their testing practices, QA professionals seeking better collaboration tools, and team leads looking to align technical delivery with business expectations. No prior BDD experience required—just bring your curiosity and prepare to revolutionize how your team approaches quality assurance. Leave with your first working BDD test suite and the confidence to implement Codeception across your entire development lifecycle.

Hypertext Transfer Protocol is the protocol of the web. From static HTML pages to web applications to microservices, everything we do as web developers has some relationship to this protocol. To effectively create services that use the web, we need a deeper understanding of HTTP.

This talk goes beyond a surface understanding of GET and 200 OK to explore how an deeper knowledge of HTTP can lead to more efficient web applications. We'll cover topics such as content negotiation, hypermedia, caching, and conditional requests, as well as recent developments in efforts to update HTTP.

Vulnerabilities in our own applications can be hard to spot, but we can learn to identify them in an environment designed to train us, so we know what craziness can get us hacked in the real world. The Juice Shop is a “Vulnerable Web App” built by OWASP, with a range of vulnerabilities from the laughably obvious to the frustratingly intricate.

In the workshop we’ll work in teams, with time to explore, learn how to use our tools and see who can spot ways to hack the system. We’ll also have teaching around how to spot and fix specific vulnerabilities, that you can take back to your own applications, improving security from the engineering team upwards.

Want to learn how to run an accessibility audit, testing against WCAG 2.2 AA Success Criteria, but feel overwhelmed by the ocean of information? This step-by-step tutorial is simplified and made just for beginners.

What You’ll Learn: Common accessibility issues to look for Demonstration of using screen readers to test a website How to write down an accessibility defect How to organize your accessibility report

Practical, real-world guidance from a programmer, just like you.

Perfect for: Back-end and front-end developers tasked to test components for accessibility; Anyone building or managing digital content.

Are you working on a legacy project that is in need of upgrading?

Do you need to make changes to your project that require the same repetitive refactor applied to your codebase hundreds of times and no existing tools can to help automate the task?

If either of these scenarios are familiar you've probably had a look at or used Rector. Rector has hundreds of rules that help with automating upgrades and refactors.

However what happens if you need to do something custom to your project, that is not available with an existing Rector Rule? In this case you can create your own custom Rector rule.

This tutorial will teach you how to create custom Rector rules that can automate tasks specific to your project. By the end of this tutorial you'll know how to create your own rules and have a framework for creating rules for whatever refactor you wish to automate.

Someone on the internet asked: "Hey #php folks: is it possible to hook into the include, include_once, require and require_once calls, like with a C extension or something?" Not only that "yes, it is possible", but also we can write this in Rust! Let's deep dive into the PHP engine internals and build a PHP extension that helps surfacing includes and measure other performance numbers of our PHP application in production. Following one of the best pieces of advice: measure, don't guess! You'll learn what an extension is, the lifecycle of PHP and how to build a basic extension to observe certain PHP behaviour. Bring some understanding of Rust or C and your laptop with either Linux or a Linux VM (Docker is fine, native MacOS should also work) to follow and take part in the exercise.

PHP properties are having a golden age. Starting with PHP 7.4, they've become steadily more capable and flexible, and now in PHP 8.4 interface properties, hooks, and asymmetric visibility absolutely blow open the power of properties.

So now what? Now that we have all this power, what shall we do with it? Is it really just an edge case benefit, or does it necessitate a rethink of what it even means to model data? Or both?

In this session, we'll look at PHP properties, and OOP modeling in general, with fresh eyes to see all that they can, should, and will do to make our lives that much better.

In this session we will explore the development of a custom Rector rule for migrating hundreds of classes off of a legacy framework and onto a set of more modern compositional traits. Using traits we will upend the class inheritance tree, and put guardrails in to contain the chaos. A basic understanding of Rector would help you get the most out of this, but is probably not required, @see Intro to Automated Refactoring with RectorPHP for that.

This talk will showcase how the Drupal AI Agents module can be used everywhere in Drupal for helping with everything from menial small tasks to supercharging you when building your website from the ground up with external tools via MCP. All without having write a single line of code.

It will be based on a grounded reality what agents are actually useful for, but also what their limitations are and when a simple workflow is a more apt solution.

The talk will go through:

• The theory of an agent.
• What are tools and MCP.
• When to use agents as compared to an LLM call or an AI Workflow.
• How the solution in Drupal works.
• Some actual examples live of agents in action.

Learning Objectives

• What agents are and what they can be used for.
• How you build and deploy your own agents without writing a single line of code inside Drupal.
• How you invoke agents in Drupal.
• What MCP is and how it can be utilized.

Note that this is will be understandable to anyone, and will almost not show any coding/code. The framework is completely UI based and can be understood by anyone, though having knowledge in Drupal surely helps if you want to set it up yourself.

“Houston we have a problem! This change you want… Well it’s one small change for the codebase but one giant change to the test suite!”

We all know why tests are great. But every once in a while we just wish they’d never been written. One case when test regret occurs is when we want to alter our functionality slightly but in doing so half the test suite goes from green to red.

This talk will investigate why this happens. In particular it looks at the coupling between tests and the code under test. We’ll investigate ways we can reduce this coupling and make out test suites more resilient to change.

Testing your database can lead to slow, complex tests that are hard to write. Hard to write tests, usually don't get written. There can be a better way of testing this type of code.

Using a PHPUnit Extension and framework-agnostic database tools, we can improve tests that interact with the database. Easily configure connection details, ensure a clean database before each test, programmatically load datasets, and make assertions on database state.

Despite our best efforts, it’s difficult to future proof our digital assets and open source projects for accessibility standards. Our code and design may follow current standards, but will your careful compliance become obsolete when new guidelines are released? What happens when other contributors add features and documentation? What browsers or assistive technology agents do your consumers use?

We will review a holistic approach for the complete lifecycle of an open source project —including how to iterate on existing content without impacting the hard work you put in during the build phase. Much like SEO...your work is never done. It should be considered in the initial build, then maintenance, complete with sprint regression testing, etc.

Attendees will come away from this session with:

• How to get started on improving accessibility on an existing project
• Tips on what useful combinations of user agents, browsers, devices, etc. to test
• A list of free tools that a site owner/content author can use to be sure their website is compliant before and after a build
• What WCAG and other guidelines are on the horizon

Database performance bottlenecks remain one of the most common sources of application slowdowns, yet many developers lack the practical knowledge to identify and resolve these issues effectively. This talk bridges the gap between theoretical database concepts and real-world optimization techniques that can be immediately applied to production systems.

We'll explore a systematic approach to database optimization that goes beyond basic indexing, covering query plan analysis, connection pooling strategies, and schema design patterns that scale. Attendees will learn how to use database profiling tools to identify performance hotspots, understand when and how to denormalize for performance gains, and implement caching strategies that complement rather than complicate their data layer.

The session includes live demonstrations of optimization techniques across popular database systems (PostgreSQL, MySQL, and MongoDB), showing before-and-after performance metrics from real applications. We'll examine common anti-patterns that developers unknowingly introduce through ORMs and frameworks, and provide actionable solutions that don't require abandoning existing toolchains.

Key takeaways include a practical checklist for database health monitoring, guidelines for when to optimize versus when to scale horizontally, and proven techniques for reducing query execution time by orders of magnitude. Whether you're dealing with slow API responses, growing datasets, or planning for scale, this talk provides immediately applicable strategies to make your applications faster and more reliable.

Target Audience: Software developers, backend engineers, and technical leads working with database-driven applications

Event Sourcing is a powerful architectural pattern that captures application state changes as a sequence of immutable events, enabling robust, auditable, and scalable systems. In this beginner-friendly talk, we’ll demystify event sourcing and show how PHP developers can implement it effectively to solve real-world problems. We’ll explore the core philosophy of event sourcing - storing "what happened" instead of "what is" - and its benefits, including complete audit trails, simplified debugging, and flexibility for future features.

Using practical PHP examples, we’ll walk through a simple event-sourced system with a relational database (e.g., MySQL) in a Laravel example. Attendees will learn key concepts like event stores, aggregates, and how that causes optimized performance.

This talk is perfect for developers new to event sourcing or those curious about its practical applications in PHP. By the end, you’ll have a clear understanding of how to start incorporating event sourcing into your projects, whether for e-commerce, financial systems, or complex workflows. Join us to discover how event sourcing can make your PHP applications more resilient and adaptable!

Ah, Structured Query Language! Everyone's favorite quirky declarative language! Do you ever wish you had a coding assistant for the times you need to write SQL, or just want to write queries in English? Artificial Intelligence has progressed greatly in the past several years, so why not send it off to deal with databases on your behalf? This is a survey of what you can, and should not, do with AI in dealing with your databases. You will also see how an AI assistant can help you write or rewrite queries, investigate that schema 'tossed over the wall' that you know nothing about but have to support, and take care of all that yucky syntax stuff. Unless you really like writing later subqueries and CTEs that rhyme in iambic pentameter for fun, it is time to start working with an AI when dealing with databases.

You've come up with your brilliant idea for a new software project and submitted the source code to GitHub, but now what? What are the pieces of an open source project besides the code? What configuration, support, and (gasp) documentation goes into making a project that is easy, clear, and enjoyable to contribute to? The inverse is true as well: as an open source user & contributor, what items should you look for in a project you're interested in using or supporting? This talk will go into:

• Git & GitHub configuration
• Guides for users & contributors
• Helpful tools for supporting repository health and consistency

As developers, we frequently create and consume APIs, whether in mobile, web, or backend development. APIs are crucial for data interchange between services and interfaces. This presentation will focus on the critical first step in API development: defining a robust API specification.



We will explore a step-by-step process for creating an API spec, covering where to begin, the essential components to consider, and valuable resources to utilize. Additionally, we’ll discuss common pitfalls and how to avoid them. By the end of this session, attendees will have a clear understanding of best practices in API specification design, ensuring smoother implementation and integration in their projects.

This experiential talk addresses the challenges and recommended practices for upgrading multiple large, integrated codebases from PHP 5.3 to PHP 8 within a compressed nine-month timeline. Though it may be preaching to the choir, even the choir needs preaching to from time to time about why upgrades matter: security, performance improvements, new language features—and did I mention security? When stakeholders resist investing in updates, involving cybersecurity teams to highlight vulnerability risks can create necessary momentum.

Organizations typically accumulate technical debt through absent upgrade processes, perceived difficulty, non-standard extensions, and deprioritization of maintenance work. The presentation emphasizes that staying current is ultimately easier than catching up, advocating for frequent practice of difficult tasks until they become routine.

The talk acknowledges starting points matter: the subject codebases were messy, procedural, highly duplicated, and lacking modern structure. No automated testing or static analysis existed at the outset. As a newcomer to the company, I faced the additional challenge of working with codebases that neither I nor my team fully understood. Though the codebases ran on PHP for Windows, the principles and processes described are platform agnostic. Drawing from previous multi-year PHP migration experiences, the accelerated nine-month approach required rigorous methodology and careful planning. PhpStorm is highly advocated as a crucial tool, especially when tackling PHP updates for very old code.

The outlined process begins with enforcing standardization and comprehensive error capture without suppression. A crucial early step involves the challenging task of implementing static analysis and automated testing for procedural legacy code—requiring imaginative, often non-standard approaches that would eventually be discarded as the codebase modernized. The process continues with implementing future-compatible code structures before methodically progressing through PHP 5's minor versions, then to PHP 7, and finally to PHP 8. Throughout, special emphasis is placed on developing sustainable upgrade methodologies to meet the aggressive timeline while creating processes that make future updates more manageable.

Git can feel like a boss battle: confusing, punishing, and full of mechanics you weren’t properly warned about. But if you've ever played a video game, you already understand more about version control than you think.

In this talk, we’ll reframe Git’s concepts through game design, from commit as your checkpoint save to stash as a quick inventory swap. Then we’ll level up: what does rebase have in common with timeline rewrites? Why is reflog your hidden save system?

Whether you’re early in your Git journey or managing complex workflows across teams, this talk will give you a new, more intuitive mental model for working with Git using the kind of logic games have taught us for years. You’ll leave with deeper insight into history, recovery, collaboration, and confidence, navigating even the trickiest parts of your version control quest.

For years, web developers and app developers have been siloed, looking at each other with jealousy. How come these people get to do push notifications? How come these people have such a simple build process? And why can’t we all just work with the same codebase?

A PWA (Progressive Web App) marries all these needs together, starting with a run-of-the-mill website and adding features as they’re appropriate. The most interesting part: You can start with a website you’ve been working on right now.

In this talk, Lemon will take you through the process of starting with a simple HTML website add add features like caching, notifications, desktop installation and offline mode to create an app that’s as interesting and dynamic as you’d want it to be.

Dive into the core of AWS security with an in-depth exploration of Identity and Access Management (IAM). This talk aims to unravel the complexities of IAM, providing a clear understanding of its policies, their types, and how they interact. Designed for developers, architects, and infrastructure teams, this presentation will equip you with the tools to debug permission errors, interpret IAM policies accurately, and navigate the interplay between various policy types, used to secure a robust and secure AWS environment.

DDEV is a Docker-based tool for local development environment. It provides simple commands to spin up a local environment for Laravel, Drupal, WordPress, Magento, and its later iterations, even JS-based frameworks such as AstroJS. DDEV.com is an Astro.js website. As a maintainer, I use DDEV to test new features and ensure that any given issue is resolved without worrying whether any settings on my host OS might create an issue.

What do you think of your monolith? It's a system built over maybe many years, possibly by many developers, but it seems to cause so many issues - unexpected bugs, difficulty testing, a challenge to train new developers on. Should you tear it down and rebuild with microservices? What would you lose?

The monolith has come in for criticism, some of it deserved, in recent years. Microservices are heralded as the solution to many problems we face with monolithic applications. This talk will explore the reasons underpinning these architecture decisions, and examine if we can apply these principles to evolve our monolithic applications. We'll learn about coupling, pros & cons of different approaches, and explore real world examples to see how thinking well about architecture choices can benefit us. We'll even see how monoliths and microservices can work together - is there a best of both worlds?

Join PHP 8.5 release manager Daniel Scherzer for a deep dive into the new features, syntax updates, deprecations, and surprises coming in the latest version of PHP. These are already available for testing in PHP 8.5.0RC3, which lands right as Longhorn PHP 2025 kicks off on October 23rd.

Whether you're maintaining legacy apps or building bleeding-edge libraries, this talk will help you prepare for PHP 8.5 and adopt its features with confidence.

Features include

• A new URL handling extension
• Expanded syntax support in constant expressions
• The pipe operator (|>)
• Attribute changes
• Object cloning with property changes

and more

One of the things that developers often leave last when pushing out code is security. The amount of support requests I get in alone on implementing APIs on PHP versions that were end of life 2+ years ago tells me we still neglect security.

You have hashed passwords, fine. What about more modern application auth? Well, some people might already be using two-factor authentication with SMS. BUT... have you heard of Silent Authentication? Ever tried a Yubikey integration? In this session, we'll revisit security to open new doors you might have missed.

In this talk we'll cover strategies to secure and deliver your applications with zero-trust technologies. Leave behind the world of cloud servers with public IPs, network whitelists, and slow corporate VPNs. We'll cover how to use products like Cloudflare Access to secure your cloud infrastructure as well as integrate authentication and authorization from the edge directly into a PHP application with single-sign on and JWTs. You'll walk away with a set of tools that scales from one server to thousands and a playbook for modern security and connectivity for your PHP apps and supporting services.

“Shifting left” means integrating testing and quality checks from the very start of a project, rather than near the end. This approach helps detect issues sooner, reduces rework, and improves overall quality—an especially important factor in higher ed digital projects with multiple stakeholders. In this session, we will demonstrate practical ways to embed testing into daily development tasks, such as automated code checks, static analysis, and continuous integration pipelines. Attendees will discover how to foster a quality-focused culture within digital teams to deliver more reliable and accessible experiences.

From this talk, attendees with take away:

• Understand the principles and benefits of shifting testing earlier in projects.
• Explore tools and scripts that automate testing within the development pipeline.
• Adopt a quality-centric mindset that encourages collaboration between developers, designers, and QA teams.
• Learn how early testing contributes to more predictable project timelines and budgets.

You were just handed the keys to a new repo. Your first glance over the code base causes the fearful "LEGACY" word to ring in your head. HAVE NO FEAR! I'll share the techniques I've learned after working on several legacy codebases to help update that old code to the current PHP generation. We'll cover triaging the old code base, writing tests to make sure you don't break anything, and how to modernize your old code base!

As shocking as this may be, not every team has a dedicated database administrator. Like many developers, I have had to learn difficult lessons about database design the hard way when under a lot of pressure to get something that’s broken fixed. In this session, we will go over how to normalize our database, how to use indexes to improve our performance and discuss using constraints to make sure that the data entered into our database follows our business rules.

Discover how to bring lightning-fast, typo-tolerant search to your PHP applications using Typesense. This talk introduces the core concepts of Typesense, from setting up your search engine to designing schemas and indexing data. You'll see how easily it integrates with frameworks like Laravel to deliver instant, intuitive search experiences. Whether you're building an e-commerce platform, admin dashboard, or even just a blog, you’ll walk away with practical techniques to level up your search game.

Playwright is an open source end to end testing Framework by Microsoft for testing your modern web applications. Playwright supports all modern browsers and works on all platforms.

Playwright can automate what a user does such as clicking on elements, filling in text etc.

If you take it one step further, playwright can be used as part of a monitoring solution: checking your site continuously for changes and regressions.

In this talk Nočnica will show how Playwright can automatically test complex user interactions with your site.

Time is one of the hardest problems in software even if you're not working across time zones, formats, and legacy systems. In this talk, you’ll learn how to manage time effectively in PHP web applications, including how to handle daylight saving transitions, properly use DateTimeImmutable, and avoid pitfalls in date math. Whether you're maintaining a legacy system or building greenfield, this session will equip you with the tools and patterns to avoid time-related bugs and improve code reliability.

For many developers, the terminal remains an intimidating black box — powerful, but mysterious. This talk is a gentle introduction to the command-line interface, tailored for those who prefer quiet mastery over noisy GUIs. We'll explore how the shell can become your most trusted companion in development, unlocking speed, precision, and automation across Linux, macOS, and even Windows. Whether you're deploying code, managing servers, or just trying to simplify your workflow, you'll leave with practical tools and a newfound confidence to crawl into your shell — and thrive there.

The farmer emoji (👩🏾‍🌾) is a bit of a mystery.

PHP's strlen function says that its length is 15. mb_strlen gives a length of 4 (depending on how PHP is configured). The grapheme_strlen function returns a length of 1.

Why do all these functions disagree? And there's just one emoji there...shouldn't they all have the same length: 1?

To understand this madness, you need to understand a little about Unicode. Many developers, myself included, get intimidated by Unicode. What's "UTF-8"? What's a "code point"? What does "U+1F937" mean?

In this talk, I'll try to answer these questions so that the next time someone gets confused by the length of the farmer emoji, you can help.

When I enter the matrix, I bring two friends. It ain't Neo and Morpheus, it's my two favorite developers Devin and Claude. After helping Devin setup our codebase on his machine, he's been fixing issues quickly when we tag him in Slack and jumps on feedback in his PRs. My other developer Claude isn't as independent but charges way less than Devin. Both need to be given well-defined tasks so they don't get too off track which I've been using GPT to help me with. I've been 10x developer all my life but with both Devin & Claude, I'm at 100x now. At this point my day consists of waking up, grabbing my coffee & sunglasses, sitting in the computer chair, and I start vibing.

Wait, did I mention Devin and Claude are not actual developers, they are AI.

This talk covers my modern workflow for developing features, tests, and documentation with AI using Claude Code and Devin AI - I cover best practices, ways to get the most out of AI to code depending on your budget.

PHP extensions are written in native code. I write one in Rust to show a bit about what makes PHP extensions what they are! We'll go over the internal structures and functions needed to make a functional PHP extension, and some of the differences between thread-safe and non-thread-safe builds, as well as debug and non-debug. This is mostly an informational talk.

Every container starts with a FROM line, but how often do you really think about what you’re inheriting?

Popular base images come loaded with hundreds of packages, bringing along complexity, vulnerabilities, and compliance headaches you didn’t ask for. In this session, we’ll take a closer look at what’s hiding inside widely used images, and how those dependencies quietly introduce risk into even well-maintained applications.

You’ll learn how adopting minimal, verifiable, and low-to-zero CVE images can reduce your security surface and streamline compliance workflows without changing how you build.

Through live demos, we'll explore what happens when you:

• Scan popular images with Grype
• Try using weak crypto in a FIPS-compliant container
• Swap your base image without breaking your build

Whether you’re chasing FedRAMP, tuning your CI/CD pipeline, or just tired of the patch-and-scan grind, this talk will help you modernize your container strategy without disrupting your workflow.

PHP Installer for Extensions (PIE) is an innovative tool I am writing for the PHP Foundation to modernise how PHP extensions are installed and managed. For decades, PECL has been the go-to mechanism, but it's time for a change. In this talk, we’ll explore why PIE is poised to replace PECL, its goals, and what makes it a game-changer for PHP developers. We'll dive into PIE's features, demo its usage, and provide a glimpse of its roadmap, including exciting enhancements already in the works. Whether you're a seasoned developer or new to PHP extensions, discover how PIE is shaping the future of PHP extension installation.