Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:108444
Return-Path: <george.banyard@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80599 invoked from network); 10 Feb 2020 23:44:24 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 10 Feb 2020 23:44:24 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 596F61804F8
	for <internals@lists.php.net>; Mon, 10 Feb 2020 13:58:10 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <george.banyard@gmail.com>
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 10 Feb 2020 13:58:09 -0800 (PST)
Received: by mail-ed1-f52.google.com with SMTP id e10so2208155edv.9
        for <internals@lists.php.net>; Mon, 10 Feb 2020 13:58:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=oVM8n+DKgYCLi6qoyDuPpI1ikc3rjq4TW9QIedDkmq8=;
        b=APUC9odLoBAKLxHenwSbcUQqkWskUpzagjIpF8KScHJV+gedKI5OwbJ+yIpNTtQ+q5
         9xEEAhKSdVGzJSz1BXfBDylYTarfKwLXAqBmhrlj9v8q0FZogZVrQUu40z164IR93tDy
         CatxPDkPS/t60R5RgYCVEoFURnr4Z5RmfPPe7VPqBjXA9j2gIa8aYma0zjO0SsWQ7VLn
         2m8Gw01BwapFvdVlsRXwNKIDwLgiI3EIQs+fu6rIDp8jjDSixGtRYHxDKlJTaPuOm9hx
         OTV3C6ru5es+396ufew7dp9CrXPmutCICn/FfDa5a6FetOFAcukB24ZCp3qVJ7wHtQ2k
         WqVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=oVM8n+DKgYCLi6qoyDuPpI1ikc3rjq4TW9QIedDkmq8=;
        b=R5ZEMOJYut3NY2L+EKvxZl8acQXRI/mgzFYdyIMjDjLYoNxyTkfxjIo1G4rNHvL8lo
         VHCfZa56ZqZ0mCtou6vrVOycFKuj/ZgfVhWx3Fh8sz8j5763BIifHlApUSGWqdjkPChO
         OgDADQ/bhoUjlRIDu1sEbB+5D3p8xOTk7S6zGLx6m24p5++JVjNduuusIvfysL5J03lU
         ceLU+sGqaLt35HquPpzCTZX14AqFoswN1+xblaQEt5Cap6TCOOSUqOyKddkIlrsMMNkz
         EbC8Pb2uCEJmUMtaqM9PlGGmL6xM/CXYzp0PnKAUom553RGRK5a501poBfEo8nhsOtgK
         DQcA==
X-Gm-Message-State: APjAAAXPoLovkwJ433tcJaMj2B0gk/2Ey/GIToJpLivhkAXgFMXFWZDF
	ryJ5NPnb5JRMrjJ3e9G+tlsy3OFjT7hd7mj6iyc=
X-Google-Smtp-Source: APXvYqwxCr9DaMIdKX1mhVol+0ABmmQwTmuatLyGnMYojEYzRN/P+X9s0+KF3Kh1yk7zMh6+vJatNnlKokYedE/62VU=
X-Received: by 2002:a17:906:a842:: with SMTP id dx2mr3045840ejb.380.1581371888470;
 Mon, 10 Feb 2020 13:58:08 -0800 (PST)
MIME-Version: 1.0
References: <CAN+C6bVeO4nU_3egiwhM0MML9NUJJB4oYgWVUo_bhJRPKUVpPQ@mail.gmail.com>
In-Reply-To: <CAN+C6bVeO4nU_3egiwhM0MML9NUJJB4oYgWVUo_bhJRPKUVpPQ@mail.gmail.com>
Date: Mon, 10 Feb 2020 22:57:56 +0100
Message-ID: <CAFPFaMKSEzGtiFE79mDd-FcmZTjB+LDkNdB1eun6iq-NM8K1cQ@mail.gmail.com>
To: Tom Van Looy <tom@ctors.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000ab8cdf059e3fd574"
Subject: Re: [PHP-DEV] [RFC] deprecate md5_file and sha1_file
From: george.banyard@gmail.com ("G. P. B.")

--000000000000ab8cdf059e3fd574
Content-Type: text/plain; charset="UTF-8"

On Mon, 10 Feb 2020 at 22:50, Tom Van Looy via internals <
internals@lists.php.net> wrote:

> Hi
>
> While in some environments the use of MD5 and SHA1 are still acceptable for
> some use cases like file integrity verification etc. the use of these
> algorithms should be discouraged and not be your choice when developing new
> applications.
>
> I suggest to deprecated the functions md5_file() and sha1_file(). This will
> make people think about upgrading to a better alternative. If you still
> need this functionality you can always switch to the hash_file() function.
>
> Carrying around these two dedicated functions seems a bit too much for a
> modern PHP. What do you think?
>
> My feeling was that this is a no brainer. Should I open an RFC for this?
>
> Kind regards,
>
> Tom Van Looy
>

I feel that if we deprecate the file versions of these algorithms we
probably should
also deprecate the ones which work with plain old strings, namely md5() and
sha1(). [1] [2]

It should be noted that these hash functions would still be available
through the
Hash extension which is always available as of PHP 7.4 as it became a core
extension.

Depending on how controversial these deprecations are they could be bundled
with the big deprecation RFC for PHP 8.0, which is currently in draft. [3]

George P. Banyard

[1] https://www.php.net/manual/en/function.md5.php
[2] https://www.php.net/manual/en/function.sha1.php
[3] https://wiki.php.net/rfc/deprecations_php_8_0

--000000000000ab8cdf059e3fd574--