Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118198
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17125 invoked from network); 5 Jul 2022 09:05:31 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 5 Jul 2022 09:05:31 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 46373180539
	for <internals@lists.php.net>; Tue,  5 Jul 2022 03:58:16 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  5 Jul 2022 03:58:15 -0700 (PDT)
Received: by mail-wr1-f52.google.com with SMTP id b26so17015684wrc.2
        for <internals@lists.php.net>; Tue, 05 Jul 2022 03:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :references:from:in-reply-to:content-transfer-encoding;
        bh=hT6atuL2ulIAsZODsok+FBG4Pfy1MZTK7M/lce83naA=;
        b=e1VIcwd9n/uq0Pu8M+N9kWKKH+YfePgKuWjex+MKofm80AFY1gp+7XpisLLjT2jFC1
         GRkE+BVfxhaK+zIv339FWS+KNJtIzt5Z9N1/uMIkMZKmh4CPfLpgZzMVoJbmaWm9MCVM
         uqYzx2rW00nLzdRlgvwXJJyeKv1GUYS9XvnniCHt2hdJfLGfqmGUxYQ6RTxiYin9muXu
         ASPtdP5eoT7AktkKRq/FNIEBbCWmvRg1mxsv1Bi3TRepQse4PxnPwjRjDshrge5gcsX4
         BnRV6Gy4X/ZW0m0bsBdmHBXcpmpsisGEyPaw9RU/sYnE22heuWS86I1v6AtbwsuhFfXU
         SGIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:references:from:in-reply-to
         :content-transfer-encoding;
        bh=hT6atuL2ulIAsZODsok+FBG4Pfy1MZTK7M/lce83naA=;
        b=1TeeijbnlM1Tm2vb7cwIJP+nKIs8WxCetox75bIsK+FITjP+FAyFAfosdv6lcdO768
         nsHRADk/tMJyYMInM++mM56ghwu4ykZIA7wZhvOckUA36zBQuTGVYZwdLx/vACnpLNrR
         DRbYYvyKh0Yl0NnwGhPDqGysYcZap/GTh/IGmxMSo1Iz7x+Bv+aOo709x2jW/oEBqWM5
         KgfgE/d2F5PlTa5I9l1GwwAyhDpcsZMPgEXK23Qkh9Ig/iZ7FinrJZAjGv95nGycz4Po
         KFwhUfIqEf4/HSQWjbERUbPup+s+D98e/oO+qy0P+kJhLs2tQBSzeZg91ZfmalMC7i3T
         LCOA==
X-Gm-Message-State: AJIora+xnc04eTqpHEQ42YoVaNCgneJ233KqZHlerP2i6u+nmC9ju/3D
	fuf9+NXRf9V09mQIgeXNIQ/kiC4SCgU=
X-Google-Smtp-Source: AGRyM1tHZiPNOHTlxb/1F0p+khHOJ1xiL5t6kClYZnGsY07M83mrlgfWZ+8Q2uSai4VHy9uwbgnScw==
X-Received: by 2002:adf:dd05:0:b0:21d:ea5:7125 with SMTP id a5-20020adfdd05000000b0021d0ea57125mr31732792wrm.298.1657018694307;
        Tue, 05 Jul 2022 03:58:14 -0700 (PDT)
Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37])
        by smtp.googlemail.com with ESMTPSA id q3-20020a1c4303000000b003a03185231bsm22394326wma.31.2022.07.05.03.58.12
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 05 Jul 2022 03:58:13 -0700 (PDT)
Message-ID: <79b23d28-6f74-fcd3-3e8b-590252c237e6@gmail.com>
Date: Tue, 5 Jul 2022 11:58:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.11.0
Content-Language: en-GB
To: internals@lists.php.net
References: <CAOfKkdR0cab4-rWdVpzGPtg8nraNBWLN3whe9xs2mAw5x1MVyw@mail.gmail.com>
In-Reply-To: <CAOfKkdR0cab4-rWdVpzGPtg8nraNBWLN3whe9xs2mAw5x1MVyw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][Vote] New Curl URL API
From: rowan.collins@gmail.com (Rowan Tommins)

On 05/07/2022 00:34, Pierrick Charron wrote:
> I opened voting for the new Curl URL API as part of PHP8.2.
> https://wiki.php.net/rfc/curl-url-api
>
> All recent discussions show that we are not even close to getting a
> consensus on how the new CurlUrl OO API should be done. After changing my
> mind 300 times in the last day, I decided to only propose the procedural
> implementation that stays consistent with other functions of the ext/curl
> to target 8.2. I know this is not the ideal scenario, but with 8.2 feature
> freeze in two weeks, this is I think the only approach that will not put us
> in a potentially bad/harmful situation for a better future with ext/curl.


I agree with others that rushing to a vote is not the best way to handle 
the situation here. We are now essentially voting on an RFC that has had 
zero discussion time, since it has been completely rewritten.

I understand that you are keen to get this into a release because you 
see it as a security feature, but that's exactly why we need to be sure 
we have the right design.

I'm also still not clear who will use this API and how it will improve 
their security. There seems to be a risk of people using these functions 
in the wrong way, or the wrong circumstances, and actually making their 
code less secure.

Because of all of the above, I have cast a No vote, because I would 
rather the right implementation was delayed until PHP 8.3 than the wrong 
implementation rushed into PHP 8.2.

Regards,

-- 
Rowan Tommins
[IMSoP]