Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:123836
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id CA2FA1A009C
	for <internals@lists.php.net>; Tue, 25 Jun 2024 18:15:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1719339414; bh=8qsqXOnskjzaap0iBN+IBV9PCQtD+klw1E0ZIa4i9B4=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=lQpKwJHmIjWO+bm6JlpCrgyd3dyMct7BhXIyYLyRlCZ1oIOpmcmihNL9eAMAp7c0a
	 I/puBO5OdhaQ0tzv/FayNs1zAeFmRxxcE6lUO8vMQ+LNDgJ9JH/Y7dFOliVleXYtnq
	 ZmasRtBo0RIRVUD52Dbd06vP1auvE5B9liqj+877A3Ujg0lkqGWUwkMCppFlu4vdOT
	 oHCGasDQ27hbCsQX6sLGmnmWEh67TrykgXlLaMBVlBcVfK5B3bs/joUsHrgjzNwFmN
	 l/rRPsToV3psxJq2ngSqaX730Jmc3QLC393xqlgZ4a7dW7hprPDHaXnOgHE6N4swm5
	 T2t8SMNtFrGBQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E03EA180F98
	for <internals@lists.php.net>; Tue, 25 Jun 2024 18:16:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 25 Jun 2024 18:16:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1719339332;
	bh=Ut8jwli2J2bsomsju7d/p6xs/i84/omMRQSI/ZbaylU=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=NyzokeaCsIEESDP3ayBeb9lyNnSQF+hnfJ+RKvZVeDv1sWpCZKT56yD6Kmad+IzRx
	 8ulsgK+MLnT+T8iN/4PEKmfIwesbzrPlizEYKA0OL6uOMIMGbTDKQ6++I2JF5tajAm
	 VWejqdr/tjdjxUnxxcnjeNNAm1rxE0/lk54wUPoLw0/iAq0MNIPJEhPbwWcAPvvrjH
	 2eSs0EgZa7Ci11dIm9HHmv3Sjbz34aeQY2AAZNkLk2Fq5sJLSm/OUwXukCUIuH9PEw
	 w3tFouNDqrQcSVbhQ82SoddrqnQK4kZlRhxpsWq/zLqKlwv0ofJ9srq29+7oAutl1+
	 tZ2glTqfm+C8A==
Message-ID: <38872be3-149d-42f3-a115-8e4409778d0a@bastelstu.be>
Date: Tue, 25 Jun 2024 20:15:31 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4
To: Derick Rethans <derick@php.net>, Marco Pivetta <ocramius@gmail.com>
Cc: "Gina P. Banyard" <internals@gpb.moe>,
 PHP internals <internals@lists.php.net>, timwolla@php.net
References: <bw20I5b7ly3lSbI-2Bv3kfrfTVJbDo5RhwBiQa1PEwuLjprDJWptPajLiaialj1RLVKu7z1j0MofJUhhRVtzT_5i2E11oKeQx_VMUxnKhUE=@gpb.moe>
 <CADyq6sLuz3430TRMu8cSh5_x57UBaWA8v4sr_c+OgUSjn-otBQ@mail.gmail.com>
 <a503f9ff-739f-a1c4-f85f-1896acffa1c0@php.net>
Content-Language: en-US
In-Reply-To: <a503f9ff-739f-a1c4-f85f-1896acffa1c0@php.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=)

Hi

On 6/25/24 17:49, Derick Rethans wrote:
> These functions are indeed often used. The documentation for uniqid has
> some nice big warnings too. It can be used in situations, where it is
> OK.

Yes, the RFC acknowledges that.

> Replacing the algorithm underneath uniqid can (and perhaps should) be
> looked at.

As explained in the RFC: The behavior is unfixable, because uniqid() is 
documented to be time-based. Changing the output format would be a much 
bigger breaking change than deprecating the function and letting users 
make an educated decision when choosing an alternative.

> For the md5 and sha1 functions. Although these algorithms are not useful
> for "verifying the authenticity of a a payload", that doesn't mean they
> can't be used outside of that use case.

See my reply to Robert. The algorithms themselves are not going away. At 
least not as part of this RFC.

> I understand the reasons why you want to "nudge" people to no longer use
> these "unsafe" functions, but IMO, in this case, it's not worth the
> BC issues.
> 

For both uniqid() and the md5()/sha1() section, the RFC specifically 
acknowledges that there is a vast collection of code using it and for 
this reason specifically defines an indefinite deprecation period (with 
a guarantee that indefinite is at least 5 years / until PHP 10).

Please keep in mind that a deprecation is not an error, not a removal 
and not a change in behavior. Users will be able to migrate on their own 
pace and for both uniqid() and md5()/sha1() there is a drop-in 
replacement provided in the RFC that is guaranteed to work with PHP 7.4+.

Best regards
Tim Düsterhus