Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115631 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 84983 invoked from network); 5 Aug 2021 11:34:58 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 5 Aug 2021 11:34:58 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 100DE1804AD for ; Thu, 5 Aug 2021 05:04:11 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NEUTRAL autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS29169 217.70.176.0/20 X-Spam-Virus: No X-Envelope-From: Received: from relay11.mail.gandi.net (relay11.mail.gandi.net [217.70.178.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 5 Aug 2021 05:04:10 -0700 (PDT) Received: (Authenticated sender: contact@ll-experts.com) by relay11.mail.gandi.net (Postfix) with ESMTPSA id BCE6610000B for ; Thu, 5 Aug 2021 12:04:08 +0000 (UTC) To: PHP Internals Message-ID: Date: Thu, 5 Aug 2021 14:04:08 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Minor security improvement From: remi@php.net (Remi Collet) In phar default signature is still SHA-1 which is no more considered add secure Proposal: switch to SHA256 by default https://github.com/php/php-src/pull/7341 Old algo are not removed, at least they are required to check old archives. Perhaps could make sense to raise a warning when used In smp, auth protocol only support MD5 and SHA-1 rfc-7860 recommends SHA256 and SHA512 https://github.com/php/php-src/pull/7342 As minor self-contained change, probably don't worth an RFC. Please comment on PR Remi