OpenSwoole forked from Swoole (PHP's async/coroutine C extension) in 2021 after a key English-speaking maintainer discovered that Swoole's admin interface was secretly hot-loading code from a remote Chinese server. The whistleblower was expelled from the project, so he forked it.
Swoole/OpenSwoole is a PHP extension written in C/C++ that replaces PHP's traditional request-response lifecycle with a long-running, event-driven server model. It provides coroutines, async I/O, TCP/UDP/HTTP/WebSocket servers, connection pooling, and process management. The fork point was Swoole v4.7.1. OpenSwoole diverged by adding native PHP Fiber integration, gRPC server support, and removing the controversial remote code loading.
Swoole was created in 2012 by Tianfeng Han (GitHub: matyhtf), a senior Chinese PHP developer who got frustrated with PHP's synchronous, share-nothing architecture. He decided to write a proper async networking framework as a C extension, giving PHP the kind of event-driven, coroutine-based concurrency that Node.js developers took for granted. Over the years Swoole became enormous in China — used by Baidu, Tencent, and Camera 360 — but remained relatively niche in the English-speaking PHP world, partly because documentation was almost exclusively in Chinese.
Enter Bruce Dou, a UK-based developer at Transfon Ltd who became one of Swoole's most prolific English-speaking contributors. He wrote the book — literally, 'Mastering Swoole PHP' (Packt, 2020) — and helped build the bridge between Swoole's Chinese core team and Western PHP developers. Bruce submitted security patches, improved documentation, and pushed for features like gRPC support. For a while, it was a productive if somewhat uneasy cross-cultural collaboration.
Then in October 2021, things blew up. Bruce discovered that Swoole v4.8.0's admin interface contained code that silently downloaded and executed a dashboard from business.swoole.com — essentially hot-loading remote code from a server controlled by Swoole's Chinese team into production PHP environments. This was filed as GitHub Issue #4434 and immediately raised alarm bells. The code would fetch a tar.gz file from the remote server and extract it locally, with no user consent or verification. For a low-level PHP extension that runs with full system privileges, this was a jaw-dropping security concern.
When Bruce raised this issue and submitted security patches, the Swoole core team's response was suboptimal. They eventually removed the offending code, but then proceeded to boot Bruce from the project entirely. The whistleblower got the boot for blowing the whistle. Bruce responded by forking Swoole at version 4.7.1, creating OpenSwoole under his company Transfon Ltd, and registering it as a separate PECL package.
The aftermath was messy. Swoole's English website briefly redirected to openswoole.com, causing mass confusion. The Laminas/Mezzio community opened Issue #71 questioning whether Swoole could be trusted at all. Package managers had to figure out which package to ship. Meanwhile, the two codebases began diverging: OpenSwoole added native PHP Fiber support, gRPC server implementation, and its own dashboard, while Swoole continued developing independently. By 2022, API incompatibilities meant you couldn't easily swap one for the other anymore.
Tianfeng Han creates Swoole, the first async networking extension for PHP
Bruce Dou publishes 'Mastering Swoole PHP' through Packt
GitHub Issue #4434: Swoole's admin interface discovered to hot-load code from business.swoole.com
Bruce Dou forks Swoole at v4.7.1 to create OpenSwoole after being expelled
Laminas/Mezzio community debates abandoning Swoole support over trust concerns
OpenSwoole adopts CalVer versioning; APIs diverge significantly from Swoole
“OpenSwoole is a superset of Swoole in terms of Features and Security.”
The Swoole/OpenSwoole split fractured an already small niche within the PHP ecosystem. Swoole was the only serious game in town for async PHP at the C extension level, and suddenly developers had to choose between two diverging forks with incompatible APIs. The drama also raised uncomfortable questions about supply-chain security in PHP extensions — if a C extension with root-level access can silently phone home and execute remote code, what else might be lurking in the PECL ecosystem?
Both projects survived, but neither achieved the dominance that a unified Swoole might have. Meanwhile, competitors like RoadRunner, FrankenPHP, and PHP's native Fiber support offered alternative paths to async PHP.