Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108470 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 10753 invoked from network); 11 Feb 2020 14:09:28 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 11 Feb 2020 14:09:28 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4164218053D for ; Tue, 11 Feb 2020 04:23:23 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: **** X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_05, CK_HELO_DYNAMIC_SPLIT_IP,HELO_DYNAMIC_SPLIT_IP,RDNS_DYNAMIC, SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS16276 149.56.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from 28.ip-149-56-142.net (28.ip-149-56-142.net [149.56.142.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 11 Feb 2020 04:23:22 -0800 (PST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: thruska@cubiclesoft.com) with ESMTPSA id 6C5353E99B To: Chase Peeler , Mark Randall Cc: PHP internals References: <5e41dadc.1c69fb81.a6614.77f0SMTPIN_ADDED_MISSING@mx.google.com> Message-ID: Date: Tue, 11 Feb 2020 05:23:19 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC] deprecate md5_file and sha1_file From: thruska@cubiclesoft.com (Thomas Hruska) On 2/10/2020 3:42 PM, Chase Peeler wrote: > On Mon, Feb 10, 2020 at 5:36 PM Mark Randall wrote: > >> On 10/02/2020 21:49, Tom Van Looy via internals wrote: >>> I suggest to deprecated the functions md5_file() and sha1_file(). This >> will >>> make people think about upgrading to a better alternative. >> >> It won't. >> >> At best it will make people switch to the hash function. At worst people >> will not upgrade. >> >> If people are using the existing md5 / sha1 algorithms, chances are it's >> because they're actually wanting to get a hash to compare to something >> that has already been stored. >> >> There's not much point in deprecating the algorithm if we don't >> eventually plan to remove it, and there is an exactly zero percent >> chance of it being removed at any point in the next 50 years. >> >> Mark Randall >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> > Why? What does deprecating those two functions do to make PHP a better > language? It doesn't add any new features. It doesn't fix any security > issues. It doesn't even take away the ability to perform the functionality > that they provide, since it still exists in the hash_file function. > > If you don't like the function, then don't use it. I'd be fine with someone just adding a Warning to the documentation that MD5 and SHA-1 are known broken hashing algorithms when used for *cryptographic/security* purposes. The algorithms and related functions are completely fine though for other purposes such as detecting single-bit changes in file data where something a little more robust than CRC32 is needed but don't want to waste a lot of storage space. md5() and sha1() already have basic warnings applied. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/ And once you find my software useful: http://cubiclesoft.com/donate/