Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117093
Return-Path: <ocramius@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86483 invoked from network); 21 Feb 2022 10:30:02 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Feb 2022 10:30:02 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4950B180540
	for <internals@lists.php.net>; Mon, 21 Feb 2022 03:49:14 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <ocramius@gmail.com>
Received: from mail-oo1-f41.google.com (mail-oo1-f41.google.com [209.85.161.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 21 Feb 2022 03:49:13 -0800 (PST)
Received: by mail-oo1-f41.google.com with SMTP id 189-20020a4a03c6000000b003179d7b30d8so12820910ooi.2
        for <internals@lists.php.net>; Mon, 21 Feb 2022 03:49:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=pO8gpUyQ4lE/GIPdFoHahyeClArLNsQDlsarUMfVimw=;
        b=Z4yqVV62ra4AATi2pln25Y3q/arwW0QSqrPNuR69RhEofUS3ToI+QgNTRHZyS4m+Ei
         zSJcRBsTm4BGI9oTcPx0/lVwPGA6wpdPc3+Q4EFtJzrgnfYdBjFTIDYzgWpWUUMRh7kl
         78BON+GJFURQ9OhNwAoO+bbW01OBRayjyDj1Fo/MyBTZkpV1yUYufR/DtBoAa4vP3DRT
         hH+Tx9x6kLaACZMy+pzjPi2NDAvV4r/c2IAC6ncpctHzDjhkYslOT8xanHQ8aGghJqlE
         7HOcfIyxcPeWnvHxeuACek5nG2YOBpX68FepvT1b0x6ckIxrLQ0M2H9PohVjFeukTzSq
         14JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=pO8gpUyQ4lE/GIPdFoHahyeClArLNsQDlsarUMfVimw=;
        b=uN8tliP5uH5SkBOt8enOVGLZ6Xvm0ZmzxMFcx6pfAnkvZK35RbPvLjOS5u9YMMPoQw
         g9UEcxROc8Ua+7uNMw77Gc2hLiW1vcJspPhQ2PWIluM3lZcOcqV0ybFgYZfGjsuDKytU
         91I0PlCdR6PaTqFHC/+tyFU8Czh/UiheacxDFdLO5PtWLtOndlBXJstAqwzabe+74nKu
         oBB6PSurexgJ6GGQddzGcuYB9IZSY5Rg9UNLu4VRUe+gFRcxj9Ox6bzO6hXuwyhESM0z
         16ai5alRJKKA/ggWS53qKoTFWNP5bevNdnL27pBu7K9jsR9RNky1hBiTecuOp3DJjM/+
         r7UA==
X-Gm-Message-State: AOAM532S9vSRXdPIS56LUoZ5Lh1z8h+LNESkjcbDr4c0tf7KfxIIuqUX
	2ar66joXBqGuVGHKQ7qgWJR0ATYH1dUWJk0ni3Q=
X-Google-Smtp-Source: ABdhPJwy8MRfwgJYskD9u4uqK6KzNg1fFHLSwRTFdrFrf68rEXbGQhZJYcZELv+nVGgJpHrvhCvsz2fH+QNMcLHfgaM=
X-Received: by 2002:a05:6870:79f:b0:c4:7dc0:d6e5 with SMTP id
 en31-20020a056870079f00b000c47dc0d6e5mr2743343oab.184.1645444152737; Mon, 21
 Feb 2022 03:49:12 -0800 (PST)
MIME-Version: 1.0
References: <5983302.2649742.1645319015766@email.ionos.com>
 <6238bf00-011e-35cc-d84b-4082b4f05099@gmail.com> <497325306.1564942.1645357444018@email.ionos.com>
 <3c6871ca-589d-6812-800c-a3b9ad6bb575@bastelstu.be> <CADyq6sLWRfD2DJwRNWmX=s7rbA2Rs+Agu9tsW9mLQbCeJ27vwA@mail.gmail.com>
 <40015164-ac0c-336d-c7d6-c4766d6caff8@gmail.com> <CADyq6s+e_Jkwg1UoGS_e23=6FciRB2-d8q_NxkREMt45f=vs8g@mail.gmail.com>
 <b52c5f52-3295-7792-1897-c170bb132331@bastelstu.be> <CADyq6sKjgkM2z_MkYypw79E-payfVG4m7hdsbDoLTPnSJMTLhA@mail.gmail.com>
 <7527ab0b-bed1-6788-a0ff-e75672054be7@bastelstu.be>
In-Reply-To: <7527ab0b-bed1-6788-a0ff-e75672054be7@bastelstu.be>
Date: Mon, 21 Feb 2022 12:49:01 +0100
Message-ID: <CADyq6s+0-tWjLbMz5k-DyJ0UpQtkw5GYiUJaQsd7awGmLdRpxQ@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000038c21b05d885d2ca"
Subject: Re: [PHP-DEV] RFC proposal to deprecate crypt()
From: ocramius@gmail.com (Marco Pivetta)

--00000000000038c21b05d885d2ca
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 21, 2022 at 12:39 PM Tim D=C3=BCsterhus <tim@bastelstu.be> wrot=
e:

> Hi
>
> On 2/21/22 12:12, Marco Pivetta wrote:
> >>>> If it's not going to be removed, what's the point of annoying people
> >>>> with deprecation warnings (that they would patch out/silence anyway)=
?
> >>>>
> >>>
> >>> Probably to be removed in `9.0` or `10.0`? Yes, it should be removed =
at
> >>> some point.
> >>
> >> In contrast to other deprecations (e.g. the utf8_encode/decode current=
ly
> >> discussed), deprecating and ultimately removing crypt() results in an
> >> actual loss of functionality.
> >>
> >
> > ...yes? That's the point?
> >
>
> I understand that that's the point. However I agree with Stas that this
> would be a BC break with no practical gain and I articulated the reasons
> why I believe that: If crypt() is what you need, then crypt() is what
> you need and being told that your use-case is invalid is not helping
> you. The function already exists and I assume that it does not require
> (relevant) maintenance effort for PHP maintainers keeping it.
>

Not a maintenance effort exercise, but a user education exercise.
Users need to stop using `crypt()`, because it just has to stop, period.
They have a period of time to migrate away from it, and then they will get
a hard crash when it's gone-gone-gone, which is **OK**.

In addition to that, end-users of PHP-SRC are not paying customers to the
php foundation, and their systems will keep rotting until they will finally
have to touch them: it would be a different story if there was a LTS
contract in place, but that's not how OSS works.

They can also polyfill it with whatever crazy and broken contraption works
for them, as long as they take the irresponsible security decision upon
themselves.

Calibrated code and feature removal is part of the software maintenance
process, and it has more effects than just code size increase.



> With the same arguments one could deprecate and remove md5() (and
> possibly sha1() as well). It should not be used for passwords, it should
> not be used for signatures and any new use should require *careful*
> review. Nonetheless there are cases where you still need an
> implementation of md5() and then not having md5() is an issue.
>
> If someone proposed the removal of md5() I'd disagree the same.
>

As mentioned elsewhere in the mail thread, `crypt()` is not designed for
fast hashing, and is in fact slow by design.
MD5 and SHA1 still have a place, compared to that, as they are not designed
solely for password hashing.

This is part of "calibrated code and feature removal" from above.

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.io/

--00000000000038c21b05d885d2ca--