“And the best code in this case is code you didn't write as PHP's session handler is battle-tested”

cPanel is written in perl.

cPanel is 30 years old, are you saying it's not battle tested, boring, proven, and widely audited?

In fact PHP is only a few months older than it.

I don't even know why you'd want to re-implement this stuff, too. It's not exciting or sexy work. It's like time parsing, time zone handling, leap years... Why would you want to inflict that on yourself? You will 100% not handle every edge case, and you will 100% get time and time zone handling bugs.

I doubt the mantra of "don't roll your own Auth/crypto" - especially if it lives on a server where the code can't be inspected.

Sure, there will be more bugs in my code, but the attackers will be putting far more scrutiny into a widely used library.

Some deliberately hilariously weak auth I built decades ago is only just now starting to get broken into by AI bots, whereas any vulnerable wordpress was broken into within days.

At the rate we are going, we will all go back to publish HTML website like in Geocities times.

I used to help nonprofits and small businesses build websites. Process always went like 1. buy domain, 2. buy a shared hosting provider that one-click-installs Wordpress, 3. use a theme to begin editing the website. Often, I would also use the email included with that hosting provider for the firm.

ALL of that goes through cpanel, for every shared hosting provider I can ever remember using. Even if the stuff happening on those servers didn't use perl, cpanel itself -- the admin of everything provided for that domain by the hosting provider -- it's a huge surface area.

I still deploy a bunch of simple sites, built around the CGI::Application framework.

I understand how they work, I'm familiar with HTML::Template, and related modules, so I can hack up a quick interactive/dynamic site in a couple of hours.

They're no longer things I'd run on the public internet, but for quick internal things it's very easy to deploy a container with a perl backend.

cPanel is just about as far away from “unproven” as possible.

Why? This one gives you a root shell directly, no need for an LPE.

Really not looking forward to a regulated software industry. It will cause a lot of gatekeeping and bureaucracy. It's one of those things that may seem good, but in practice, it's pure waste in every way imaginable. Will just lead to exclusivity, gatekeeping and artificial friction. This is a hill I'm willing to die on. Those making software have plenty of incentives to make it good, and bad software is punished already to the fullest extend (because it's not fun to get compromised or your reputation ruined; this is a natural incentive)