In D21497#272834, @epriestley wrote:

What's the specific issue you run into with PHP8 with the existing code -- the function emits a deprecation warning when called?

Since the attack surface on the XML entity loader is huge/scary (historically, see D8049), I'd prefer to continue explicitly disabling it if we can. Although there's probably no real risk, I can imagine scenarios like some distro shipping a version of PHP which enables it by default, or users enabling it by default because they run some other software that needs it alongside Phabricator. In these cases, we're a little better off at runtime if we continue disabling the loader.

If this just raises a deprecation warning under PHP8, I'd be more comfortable "fixing" it by suppressing the warning with @ (so @libxml_disable_entity_loader(true); -- not sure how familiar you are with PHP) so that we're still making sure the loader is disabled. Is that reasonable, or does it create more problems?

Yeah, you just get a couple of annoying:

Deprecated: Function libxml_disable_entity_loader() is deprecated in /Users/Jess/Git/arcanist/support/init/init-script.php on line 98

In trying to arc diff --update this I got an exception (but it worked with --head, which I had been using to submit each commit of the patch series). What's the best way to test out arc itself and reproduce that? Use admin.phacility.com to get a testing instance?

Feel free to test against secure within reason if that's easier. These patches might not seem like a big deal, but stuff like this which just makes my life easier is incredibly rare, so make yourself at home.

Otherwise, admin should work. If you want to sign up for a permanent instance, just shoot me a message via the Support interface and I can credit it indefinitely so you don't lose your config after a week (it won't ask for a card or anything).