It is safe to install php from ondrej/php ppa.

WHO AM I?

I am a Debian Developer since year 2000, and I have been packaging PHP for Debian since PHP 5. That means the official packages in Debian and Ubuntu are either my work or they are based on my work. The PHP packages in my Ubuntu PPA and Debian DPA matches the official packages in Debian. Basically I am saying that you can’t get any closer than that.

Askubuntu : @oerdnj

I am a Director of DNS Engineering at ISC, Debian Developer since 2000, Ubuntu Member since 2005, founding member of Ubuntu Česká Republika since 2004.

I (co-)maintain Apache2, PHP, MariaDB, Cyrus SASL, Cyrus IMAP, Berkeley DB and all things DNS in Debian and also have semi-official PPAs for those packages (PHP). I have been member of Debian GNOME GTK+ packaging team. (In other words I've seen things you people wouldn't believe. :-))

I am author of two apache modules (mod-vhost-ldap and mod-log-spread2) and I am co-author of Knot DNS, a fast authoritative-only DNS server, and now I work on BIND, the most used DNS server on the Internet.

I have expertise in routing, DNS, DNSSEC, Debian packaging and much more to list here :).

The developer is preparing a newcomer package debsuryorg-archive-keyring to automatically update the PGP key.

The apt-key list should print:

pub   rsa1024 2009-01-26 [SC]
      14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
uid           [ unknown] Launchpad PPA for Ondřej Surý

twitter: Ondřej Surý

github: Ondřej Surý

Installation instructions:

sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php8.0

For the sake of completeness, I'll expand my comment into an answer and let you decide.

A PPA is a Personal Package Archive. Someone has taken source code from another source and packaged it so that Ubuntu users can install them easily.

Your question of "trust" comes down to what are you worried about? The fact is, any one can create an a PPA and have create a glowing homepage that looks perfect. One thing to keep in mind is that whoever makes a PPA is usually a volunteer, much like those of us who read AskUbuntu. So, there are no guarantees. In fact, the one you mentioned is described in these installation instructions, which then refer to this PPA. At this PPA, they have honestly said:

Disclaimer: there's no guarantee of timely updates in case of security 
problems or other issues. If you want to use them in a security-or-
otherwise-critical environment (say, on a production server), you do 
so at your own risk.

Does something like this pass or fail your definition of trust? It seems everyone will have different definitions of trust. In fact, what if I said "yes, you can trust that PPA!" -- but for what reason should you trust me?

My rule of thumb whether it is an Ubuntu PPA or some installation executable for Microsoft Windows is if I am concerned, I shouldn't download it. In your case, your current version of PHP should be sufficient and I wonder if you "need" features in PHP-8 or do you just want the latest version for no reason?

If you still need PHP-8, then you can just download it and install it yourself. This is the site where PHP resides. Installation instructions for this source is available here. This is the most trustworthy as you can get...

Coming from a CentOS background...

Official repos of Ubuntu 20.04, for instance, have PHP 7.4.3 (with backported fixes). If you want anything higher than that, someone needs to compile it for you into a package. I tend to look for how well known the builder is. In the RHEL/CentOS world, that person is Remi Collet (a PHP contributor) who has a repo for his builds.

In the same way ondrej has a website. Not only does he seem well known, he works with other Ubuntu packagers and he seems to be this GitHub contributor.

TL;DR is it safe?

The fact that it's well known means it's less likely you're getting some corner build with either build problems or malicious code. There's no guarantees of course, but no company can guarantee you no malicious intrustion, but with a better known repo, it's less likely it will go unnoticed.

As ray points out, "any one can create an a PPA and have create a glowing homepage that looks perfect".

So lets try to validate the claims.

We can see who the maintainers of the Debian php packages are by looking at Debian's website. Ondřej Surý is indeed listed as one of the maintainers of the php packages in Debian. https://tracker.debian.org/pkg/php-defaults

Ondřej Surý is listed as a Debian Developer with gpg key 30B9 33D8 0FCE 3D98 1A2D 38FB 0C99 B70E F4FC BB07 on https://nm.debian.org/person/ondrej/

So the question becomes whether the Ondřej Surý who maintains the php packages in Debian is the same person who runs deb.sury.org.

One thing we can look at is the e-mail addresses associated with the GPG key. The primary email address on the gpg key mentioned above is "[email protected]", this to me is a strong indication that the sury.org domain is controlled by ondrej sury or at least his family.

The launchpad account and the sury.org domain have also been around a long time. The domain was registered in 2002, the launchpad account was created in 2005. The username on the launchpad account matches Ondřej Surý's Debian username.

In sumary I have a high level of confidence that the person behind that PPA is the same person who is maintaining the php packages in Debian.