Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:108442
Return-Path: <zardozrocks@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 77515 invoked from network); 10 Feb 2020 23:39:13 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 10 Feb 2020 23:39:13 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0449E1804F8
	for <internals@lists.php.net>; Mon, 10 Feb 2020 13:52:58 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <zardozrocks@gmail.com>
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 10 Feb 2020 13:52:54 -0800 (PST)
Received: by mail-wm1-f54.google.com with SMTP id t14so991321wmi.5
        for <internals@lists.php.net>; Mon, 10 Feb 2020 13:52:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=D6XIHDs3V5sEoTCjwosIExBKbb/m+FJeTXxrH1Yj0H0=;
        b=DdRgGUtA9FbVESs+5rHKCzkEQjbIodXLSvqLrCcfq3vdCpK0HiGFVyZXcyp0OvO/Ee
         Cj8pcnJWD6iuAX5cLTO1vw8hr6fRje95epZ02quHBzmFs9NnhUlOpea2xezh1tpjirIU
         PX8NPB6NWj+nWL8wFEQ76XHynq0HzeATKRFdd6cfWeKzZr/pZXLuCJkJGs68sG2AciDZ
         ueFSXxi6MWlpPXYWx+2o0bYK91pr7m21edo8GoRBdaKdQZf54/6sM7GJU9zFpE/o+xI6
         1Y/15b3zO9EWg9AGLihxZ8Rna3t0TsIoFgDuSmtnVmXw07TEjTyWUNBN5ro39NU96vo3
         MieQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=D6XIHDs3V5sEoTCjwosIExBKbb/m+FJeTXxrH1Yj0H0=;
        b=Ule6gkqY5tpY/EgHzLjR/7cRXsWyiu/GOOKq/vQSsQjaZVZFVR6myFEhirOGdJl7lB
         14AUmirynh/66rMxqLLGx35Dw2vwjOYfygcpNDqgV51xOVIAkZaHDvvbbgCf9kfT7j8C
         pozSkbjRQFt09MGfaiGc1nAurP/Zc750j37WcvJSbjAIvme0olAI5UjllIS1pHrJwZB3
         N410687P3qiH7p3lS+zq/t9cY45kKCGy3u5x4UCJrAi+mg9YCZ11JXQSHQb4Rry9nJCC
         Zi6Q2g6yK54jZJLuLyg7ykFMfTQZae6crVW4HhOtxuQLZX8v3Cd/fKjwGiynHbCOnNeO
         E8pQ==
X-Gm-Message-State: APjAAAVadN2HSuMd/GOIPhRRReQaWlotc2LynzU8JEsw3mA8pLj/GbRN
	mot9xXaEWcMr3N5j5BEeQfTS6BEQ59vOCX50qW0dEw==
X-Google-Smtp-Source: APXvYqybUqLo9+EBpDrKVaPQb+fuuuep2dHN08wL59tU090SLaJ4PJilrCTeyzz/K5UktJGGrchKkXL/Gcw2c50GCPI=
X-Received: by 2002:a05:600c:2058:: with SMTP id p24mr1013535wmg.96.1581371573548;
 Mon, 10 Feb 2020 13:52:53 -0800 (PST)
MIME-Version: 1.0
References: <CAN+C6bVeO4nU_3egiwhM0MML9NUJJB4oYgWVUo_bhJRPKUVpPQ@mail.gmail.com>
In-Reply-To: <CAN+C6bVeO4nU_3egiwhM0MML9NUJJB4oYgWVUo_bhJRPKUVpPQ@mail.gmail.com>
Date: Mon, 10 Feb 2020 13:52:42 -0800
Message-ID: <CADbOR2i3Jq25rVPwvYtRN=mJ+rrJH40LhyvzpBx89t1tob6_Ag@mail.gmail.com>
To: Tom Van Looy <tom@ctors.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e63bc2059e3fc2f4"
Subject: Re: [PHP-DEV] [RFC] deprecate md5_file and sha1_file
From: zardozrocks@gmail.com (j adams)

--000000000000e63bc2059e3fc2f4
Content-Type: text/plain; charset="UTF-8"

I disagree. While MD5 and SHA1 might not be suitable for modern
cryptographic operations, these functions might be needed for legacy
situations -- e.g., munging through old data.


On Mon, Feb 10, 2020 at 1:50 PM Tom Van Looy via internals <
internals@lists.php.net> wrote:

> Hi
>
> While in some environments the use of MD5 and SHA1 are still acceptable for
> some use cases like file integrity verification etc. the use of these
> algorithms should be discouraged and not be your choice when developing new
> applications.
>
> I suggest to deprecated the functions md5_file() and sha1_file(). This will
> make people think about upgrading to a better alternative. If you still
> need this functionality you can always switch to the hash_file() function.
>
> Carrying around these two dedicated functions seems a bit too much for a
> modern PHP. What do you think?
>
> My feeling was that this is a no brainer. Should I open an RFC for this?
>
> Kind regards,
>
> Tom Van Looy
>

--000000000000e63bc2059e3fc2f4--