Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120632
Return-Path: <php-internals_nospam@adviesenzo.nl>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28452 invoked from network); 20 Jun 2023 04:04:09 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 20 Jun 2023 04:04:09 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 8F835180538
	for <internals@lists.php.net>; Mon, 19 Jun 2023 21:04:08 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL,
	STOX_BOUND_090909_B,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS36483 23.83.208.0/21
X-Spam-Virus: No
X-Envelope-From: <php-internals_nospam@adviesenzo.nl>
Received: from bee.birch.relay.mailchannels.net (bee.birch.relay.mailchannels.net [23.83.209.14])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 19 Jun 2023 21:04:07 -0700 (PDT)
X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 7CB843E1135;
	Tue, 20 Jun 2023 04:04:06 +0000 (UTC)
Received: from nl1-ss105.a2hosting.com (unknown [127.0.0.6])
	(Authenticated sender: a2hosting)
	by relay.mailchannels.net (Postfix) with ESMTPA id 304ED3E0CAB;
	Tue, 20 Jun 2023 04:04:05 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1687233845; a=rsa-sha256;
	cv=none;
	b=4A6bCBvXC68OwlOk+06GdH6Gk1GM/fo3PJq6NWG1s6/qzmFO880PUsfw7Qvmz87vGJGYdh
	tEIgG0erM2KiweaUmnnbo7FWb7Au7cXv9Zvu5zVc/ym9kMZgDETqWMvz4cO/2NFuT+HYEE
	wuZqR5nCGej3eeVDc3dFkDVLFs8t1qOdGI38zFt99COk+n96tcbjsCIPj2lQnL+iUz/78f
	5QlJ7ZjmX3eF+f7h1KI3Hfs3oeqEsYGCmIrfBROkPKcI61skpOFVyW/iODh3in6dzMdzwY
	RQvW4Bp1DMuddkEYnJ6vzuRruS6BwLksolIp3YNLsA5HDABNOjRfDG+KKT14Rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1687233845;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=0AYDIqNia6JWZgCKzA+ycOqH37yV09MheqSa8/dnm6k=;
	b=7VPJo+XLvbdiPOa3JKiXFHnBeZFa1K/avjOeSVE/7gmARHptLp+oOatC5Xk95DjQ/KWIcO
	fO8o8/VsUx2xr6C5dS/J2mmqMZj6n8/rbAtUkARAwsQC5OSh1hIDo/AwWtVNzGV/RCL05q
	K+LczcNWwPppHZlAVW5LwMntvMX3/hRpmH0dAneKMH8L0HnF4sHs1Ef+Pf7k2GrEL1gkgH
	K5OEQZosJQltX61LQXBAt6sy8KbknYGtpXzpdiRKwYSf7PKmBD2+Fim/vbF+7wLVhtGcl0
	ljByDM0QrERJJtdgYXhpmw3BAbSCXbqUm6K4GYq0YDT+43BoOAhI1vyi4cgL1g==
ARC-Authentication-Results: i=1;
	rspamd-85899d6fcc-rwzts;
	auth=pass smtp.auth=a2hosting
 smtp.mailfrom=php-internals_nospam@adviesenzo.nl
X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl
X-MC-Relay: Neutral
X-MailChannels-SenderId: a2hosting|x-authuser|juliette@adviesenzo.nl
X-MailChannels-Auth-Id: a2hosting
X-Ski-Company: 0f44373d02e9be53_1687233845877_829924676
X-MC-Loop-Signature: 1687233845877:3298454565
X-MC-Ingress-Time: 1687233845877
Received: from nl1-ss105.a2hosting.com (nl1-ss105.a2hosting.com
 [85.187.142.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.104.253.208 (trex/6.9.1);
	Tue, 20 Jun 2023 04:04:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=adviesenzo.nl; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:
	Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=0AYDIqNia6JWZgCKzA+ycOqH37yV09MheqSa8/dnm6k=; b=aDiqQXlF4Kt1GM8+uGjO8RW6hl
	Hj3J94ThkGk2Nmcip6P3NiMO1J0AdBR7tOX1Kb6KSYBqGl30kbD6CrXKuRadj14pCf4t84OTzNT5e
	+5y3GdJinJGDq1458PtW3uO0UPNYhjzdtwTMq+CXjAPAblIKtViMk6DgKs0F/Z8vY85o=;
Received: from 86-154-178-143.ftth.glasoperator.nl ([143.178.154.86]:55403 helo=[192.168.1.104])
	by nl1-ss105.a2hosting.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <php-internals_nospam@adviesenzo.nl>)
	id 1qBSb6-000GRw-15;
	Tue, 20 Jun 2023 06:04:03 +0200
To: internals@lists.php.net,
 =?UTF-8?Q?kocsismate90@gmail.com_>>_M=c3=a1t=c3=a9_Kocsis?=
 <kocsismate90@gmail.com>
References: <CAH5C8xWAsRV+8h-tZ2Xq0=tn753kbSQX=KSEYsE2fWEtQVMrew@mail.gmail.com>
 <CAMs36HfmXuUJWJ0uih+Pj_vui4wG4vy3OTMmmspGmpP9h_gvgw@mail.gmail.com>
 <9ea3a5af-679d-ad63-f9c2-e0d8d148db3f@bastelstu.be>
 <CABTDVhDPLwBHDDzfXcHhs4VZNMHswWqum9muKgZcA63sgMCZdg@mail.gmail.com>
 <5ca4e382-8284-1cd0-696f-0dfd693523f8@bastelstu.be>
 <CAH5C8xWnAjep7kkTSg3=koBd7U0XuBkwF0-k61Mvv1J-m5yRiQ@mail.gmail.com>
 <648B24CF.4090105@adviesenzo.nl>
 <CAH5C8xWFOvBrEJbqB+cvHguyamQT6Kp=vLN3K-Nj9HyOgHx24w@mail.gmail.com>
Message-ID: <64912532.6070809@adviesenzo.nl>
Date: Tue, 20 Jun 2023 06:04:02 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CAH5C8xWFOvBrEJbqB+cvHguyamQT6Kp=vLN3K-Nj9HyOgHx24w@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------080504070607070809060706"
X-AuthUser: juliette@adviesenzo.nl
Subject: Re: [PHP-DEV] [RFC] [Discussion] PHP 8.3 deprecations
From: php-internals_nospam@adviesenzo.nl (Juliette Reinders Folmer)

--------------080504070607070809060706
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

On 19-6-2023 23:27, Máté Kocsis wrote:
> Hi Juliette,
>
> For the mb_strimwidth() proposal an impact analysis is provided at the end
> ("over 100 projects were reviewed").
>
> For the other proposals there isn't and we do not believe this to be
> useful. We consider deprecations to be different from other RFCs that add
> new features,
> because functionality usually is deprecated because it is "harmful" in one
> way or another. A large impact (i.e. broad usage) should not necessarily be
> an
> argument against deprecation. Please also keep in mind that a deprecation
> is just that, a deprecation. It gives developers a heads up to migrate off
> the
> functionality at their own pace. We know that package maintainers are
> bugged by users whenever a new deprecation message emerges in a new PHP
> version,
> but this doesn't mean maintainers must react right away.
>
> Let us elaborate why we don't think impact analysis is needed here:
>
> * As per the TYPE_CURRENCY constant is (a) completely non-functional and
> (b) unfixable. As such any code that uses the constant is already broken and
> the deprecation is just pointing this out, making the user aware.
> * The CRYPT_* constants are possibly the least harmful part of the RFC, but
> they still can be misleading to a new developer. They are trivially
> polyfilled and
> also trivially removed from existing code by replacing them with 1.
> * MT_RAND_PHP is broken, because the sequences are not well-defined,
> defeating any reason for seeding. More reasons are already given in the RFC.
> * mt_rand() is everywhere and we don't believe anyone is denying that fact.
> But this should not be a reason against deprecation. As the RFC outlines,
> it is trivial to find this function misused with GitHub's search. We
> believe that the depreciation benefit outweighs the costs for existing
> users.
> * ldap_connect() is already soft-deprecated in the documentation.
>
> Regards,
> The authors of th RFC
>

Hi Máté,

While I appreciate that _most_ of these will be low impact and are 
justified, I very much disagree with that for the proposed `mt_rand()` 
and friends deprecations.

There are plenty of situations where it is of absolutely no interest to 
get a crypographically secure value, like for generating some 
semi-random test data and I strongly believe the impact of these 
deprecations to be large and fixing it won't always be trivial for 
codebases which support a range of PHP versions.

As a matter of principle I believe there should be an impact analysis 
for anything being deprecated. It can inform the voters as to the 
appropriateness of the timing of the deprecation - early on in a major 
cycle vs late in a major cycle -. Others may just take it as a FYI, but 
at least they have access to the information if they wanted to assess it.

While I appreciate what you are saying about deprecations being an 
"action list to migrate at your own pace", the reality for open source 
packages is different as the sheer amount of deprecations over the past 
few years have taken huge amounts of time to address and "leaving those 
till later" is just not an option as the amount of time needed is the 
same and time can only be spend once.

To give you some idea: work related to PHP 8.0 and 8.1 has been nine 
months out of the year for each in my case for the open source projects 
I'm involved with, so no, leaving that to later is not an option.

Smile,
Juliette


--------------080504070607070809060706--