Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124176 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 011941A009C for ; Tue, 2 Jul 2024 11:13:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1719918916; bh=8KQnKyfGBz24tC2g2w7CpKY2FYQBkGmJV+FWsapxR+M=; h=Date:Subject:To:References:From:In-Reply-To:From; b=CEe+MgX0K90Z1mYmUkBDyQ+0GM6flBMHV6ExVC03PvjQjM1n//mQNTgdiPbEvA/g/ 2irfoIfXic3dl+hc7/c/PF8vWVcyO0vahjkQxoHuQ51BEs6X8bUA1k8EQCSs/7FxUW r5jKuxc7KXWGTTF+AGrEt2k2L94IdgOOwnlIAWfioJytvwnt9C/7XfCSJts76dUDM6 4qCxiV4tTVyJbIpKezRgkPNMaZBymuBlg1ysYk8rIRNOZyUTRqJZX4PEloLEDuAsj9 9EJsxvBjaBguvRxyeVMEXPp7AW53YVb3tXqNj4KMa8WZUythMAX416VN67dcl4mAvb aA7c+juIMHabA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 9526918005B for ; Tue, 2 Jul 2024 11:15:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DMARC_MISSING, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from gavin.smtp.mailx.hosts.net.nz (gavin.smtp.mailx.hosts.net.nz [43.245.52.167]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 2 Jul 2024 11:15:13 +0000 (UTC) Received: from 222-152-65-7-vdsl.sparkbb.co.nz ([222.152.65.7] helo=[192.168.1.67]) by gavin.smtp.mailx.hosts.net.nz with esmtpsa authed as varteg.nz (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim 4.96) (envelope-from ) id 1sObSI-00E3J7-0m for internals@lists.php.net; Tue, 02 Jul 2024 23:13:50 +1200 Message-ID: <5a2cd571-d681-4095-aa1b-be175f1778e9@varteg.nz> Date: Tue, 2 Jul 2024 23:13:39 +1200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 To: internals@lists.php.net References: <6683CDE4.7050607@adviesenzo.nl> Content-Language: en-GB In-Reply-To: <6683CDE4.7050607@adviesenzo.nl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Hosts-DKIM-Check: none From: weedpacket@varteg.nz (Morgan) On 2024-07-02 21:52, Juliette Reinders Folmer wrote: > Other than that, I join the previously voiced objections to the > deprecation of `uniqid()`, `md5()`, `sha1()`, `md5_file()`, `sha1_file()`. > While I acknowledge that these functions _can_ be used inappropriately > for security-sensitive code, which should use alternative methods, these > functions have perfectly valid use-cases for non-security-sensitive code > and the impact of the BC-break of deprecating and eventually removing > these methods can, IMO, not be justified. `md5()`, `sha1_file()` et al. are duplicated by `hash('md5')`, `hash_file('sha1')`, etc. These work in exactly the same way and produce exactly the same output as the dedicated functions and can be used just as appropriately or inappropriately. Why, except in deference to their age, continue calling out MD5 and SHA1 in particular for special consideration? `uniqid()` doesn't have such an obvious translation (of the half-dozen alternatives in the RFC, the closest one is the first), but that's because its output isn't very good anyway: it doesn't even guarantee uniqueness. The biggest effort in replacing it would come if you were relying on the main part[1] of its output being strictly increasing (which would be a mistake because it might not be). [1] The main part is just a timestamp, extra entropy is provided by a call to random_bytes(4). > Keep in mind that while "we" know and understand that deprecations are > not errors, end-users often don't and particularly for open source > projects, this means that in practice these deprecations will need to be > addressed anyway to reduce the noise of users opening issues about them, > which without a clear path to removal of the functions, will, in a lot > of cases, mean adding the `@` operator to all uses. Well, that's true of _any_ deprecation. Fortunately for these functions at least, clear paths for their removal are just that - clear.