Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108454 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 68647 invoked from network); 11 Feb 2020 11:20:40 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 11 Feb 2020 11:20:40 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0C00E1804E6 for ; Tue, 11 Feb 2020 01:34:32 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8943 85.119.80.0/21 X-Spam-Virus: No X-Envelope-From: Received: from mail.apserver.co.uk (server2.alteredperspective.co.uk [85.119.82.103]) by php-smtp4.php.net (Postfix) with ESMTP for ; Tue, 11 Feb 2020 01:34:30 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.apserver.co.uk (Postfix) with ESMTP id C59E04F4064; Tue, 11 Feb 2020 09:33:50 +0000 (GMT) Received: from mail.apserver.co.uk ([127.0.0.1]) by localhost (server2.alteredperspective.co.uk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31LsQqe2cffh; Tue, 11 Feb 2020 09:33:49 +0000 (GMT) Received: from [192.168.0.7] (unknown [86.18.119.17]) by mail.apserver.co.uk (Postfix) with ESMTPA id 50DA04F4061; Tue, 11 Feb 2020 09:33:49 +0000 (GMT) To: Tom Van Looy , PHP internals References: Message-ID: <14a19b55-b7fa-5879-90cf-fc285c141ae8@allenjb.me.uk> Date: Tue, 11 Feb 2020 09:34:24 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Subject: Re: [PHP-DEV] [RFC] deprecate md5_file and sha1_file From: php.lists@allenjb.me.uk (AllenJB) As others have mentioned, this will do nothing but make people annoyed and switch to the hash_file() version of exactly the same thing or put up another hurdle to updgrading PHP. The password hashing API now provides an obvious go-to for password hashing. For other hashing usages there are, I think, basically two scenarios developers find themselves in: 1) I'm using an API or some other external service and that requires the use of md5 / sha1 - I don't have a choice 2) What do I use instead? Internet searches return "sha1 / md5 is fine for this purpose" or recommend algorithms that aren't natively supported in PHP. The (hash library) documentation does nothing towards helping developers decide what algorithms (or even which hash library functions) they should use for what purposes (and there are a lot of acronyms that many developers are likely to have never encountered that are never explained - HMAC, PBKDF2, HKDF). Yes, of course developers can use third party sources to supplement the information in the manual, but who has time to go seartching for that (esp. when most of the first page on Google probably tells you md5/sha1 is fine anyway)? If you want to change the way developers think about hashing when writing PHP, I would start with the documentation rather than deprecating functions which are essentially aliases and are highly likely used all over the place in cases where they do exactly what people want. AllenJB On 10/02/2020 21:49, Tom Van Looy via internals wrote: > Hi > > While in some environments the use of MD5 and SHA1 are still acceptable for > some use cases like file integrity verification etc. the use of these > algorithms should be discouraged and not be your choice when developing new > applications. > > I suggest to deprecated the functions md5_file() and sha1_file(). This will > make people think about upgrading to a better alternative. If you still > need this functionality you can always switch to the hash_file() function. > > Carrying around these two dedicated functions seems a bit too much for a > modern PHP. What do you think? > > My feeling was that this is a no brainer. Should I open an RFC for this? > > Kind regards, > > Tom Van Looy >