Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124272 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 1E8E51A009C for ; Mon, 8 Jul 2024 03:04:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1720407946; bh=NQ4Drd51/fkALFv0KElpgHIDUwTgJs2Jp/8l1MbJspw=; h=Subject:To:References:From:Date:In-Reply-To:From; b=bcY2maE9alN+KCt30/TKWCOvqV/pEAkzBaPa6oTINPr9PZ2SHH3gyefKDd5c8HFRM JARPiun8C+hBNs6BLLjIoZNFp9xh7Jgw9jL7tAhduTXiizjVIgyr+U0nlLqjhqcDMZ r/9pvoAkrejKSH5hKNW2tZExbECHvVGSCnhQehsrALoefAEaqzy29ncC/blWp3bd/+ scEuu1gE1p4q6ghjIB/aTZtferZTd4jUxqTAZQjz39fOsp/bk+Zwlaje5U/CH/KoDh Fj86lz+VoK9QUDWXlUnC9i29NKaecOC+OOgmqyghOWloo56YRrHbgckSoCvC2c+YZk royKSROR65eRw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 60AFC1806A3 for ; Mon, 8 Jul 2024 03:05:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING, HTML_MESSAGE,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from firebrick.ash.relay.mailchannels.net (firebrick.ash.relay.mailchannels.net [23.83.222.59]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 8 Jul 2024 03:05:44 +0000 (UTC) X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 7094D504EDA for ; Mon, 8 Jul 2024 03:04:19 +0000 (UTC) Received: from nl1-ss105.a2hosting.com (unknown [127.0.0.6]) (Authenticated sender: a2hosting) by relay.mailchannels.net (Postfix) with ESMTPA id 78EC2504EB1 for ; Mon, 8 Jul 2024 03:04:18 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1720407859; a=rsa-sha256; cv=none; b=xL3cvEnu2TlgGh0eiWi0AnO8pgfR4zHJjoizvTTqPLK36j25xtmZU9h7SYJ5s2CHDh1OpJ aUzMSuVNm6gWDzWUWbnR7ZyHkn0rE4obEfuH+w6ix7t3J6E5N7rUPOSyls5ndTBiXF5PLO Lkbb7tk7P5EQw4rBS/xaW6PVMXPoDOayLnM7Qaf8lBevjno3pzYG6heD6IOjrUdB+DXL3/ rO4Uq86OE1TJuDamPn8pWfMQnpdx67GSEXJDuKnCUSgTNS9jql6+LB8kF1rIBFt9MyRtcE I/UqvkBbbm5qhp203lmGVijjTvGWIIxKy27YcvENOY3u4E1tSIBgw7xQs/fQ/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1720407858; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fYK9rvNjob9cRqc9mU0G5NL8wnnW6Ke7F5mZzcQWkMM=; b=Ok2vXpVX7yeQhdd/s9tdA36SoSo9/fXwTIkrkEyPSu+AFpPxWgTE/ks9H9sc5B1HySoJUa /kXykzE2EhhBvjhzctCoNHYdBLQ/KHwsET3u/ZGInNKUzz/p306iEKu39qnEZVd9vSlCZ8 AoKkMRZoRX93P6ihSS8F/lHohw17P6qMTSyL+a1qFeRBhfaNiBDNwXFxrHQOWxI5ATpHw1 SoKnvchJclksbwK+aDDHqMu2ke/j8ZFiJGXXN9Rlas19g1UPKKbQOQIlddzlrCC5R/Fozs 0zkoyuetA87UQcDQCee+bOtPqPJECNXKceGKEZBgfr3dgTT3hZNzaa6tD4S0gw== ARC-Authentication-Results: i=1; rspamd-7c4f8cbcf8-6cn42; auth=pass smtp.auth=a2hosting smtp.mailfrom=php-internals_nospam@adviesenzo.nl X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl X-MC-Relay: Neutral X-MailChannels-SenderId: a2hosting|x-authuser|juliette@adviesenzo.nl X-MailChannels-Auth-Id: a2hosting X-Robust-Robust: 4f1f0e02143971e5_1720407859392_3763875694 X-MC-Loop-Signature: 1720407859392:2347100164 X-MC-Ingress-Time: 1720407859392 Received: from nl1-ss105.a2hosting.com (nl1-ss105.a2hosting.com [85.187.142.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.104.40.171 (trex/6.9.2); Mon, 08 Jul 2024 03:04:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=adviesenzo.nl; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=fYK9rvNjob9cRqc9mU0G5NL8wnnW6Ke7F5mZzcQWkMM=; b=gdrZ4IRTgqrcs1EXgXoYSP4bco ebZCK4hpdqcv83BGEO1lYir2OzJPMajrRdXN01IoOroAHsra7rgMc3zKyo7WrpUs0G2TekJCFWQwv fxwZM7LEpYWIU2GZRCktGhfrGVsliuXmHOocWY4hdEDexrUu6DyJ6IXczffyigC7r26c=; Received: from mailnull by nl1-ss105.a2hosting.com with spam-scanner (Exim 4.97.1) (envelope-from ) id 1sQefo-0000000G2lc-2kKc for internals@lists.php.net; Mon, 08 Jul 2024 05:04:16 +0200 X-ImunifyEmail-Filter-Info: UkNWRF9WSUFfU01UUF9BVVRIIFJDVkRfVExTX0FMTCBWRVJJ TE9DS19 DQiBSQ1ZEX0NPVU5UX09ORSBCQVlFU19IQU0gQVJDX05BIE1JTUVfVU 5LTk9XTiBNSURfUkhTX01BVENIX0ZST00gRlJPTV9FUV9FTlZGUk9NI E1JTUVfVFJBQ0UgRlJPTV9IQVNfRE4gVE9fRE5fTk9ORSBSQ1BUX0NP VU5UX09ORSBJRV9WTF9QQkxfQUNDT1VOVF8wMSBUT19NQVRDSF9FTlZ SQ1BUX0FMTCBfRFJVR1NfTU1fRElTQ09VTlQgQVNO X-ImunifyEmail-Filter-Action: no action X-ImunifyEmail-Filter-Score: 2.05 X-ImunifyEmail-Filter-Version: 3.5.16/202406140020 Received: from [31.201.40.213] (port=65246 helo=[192.168.1.16]) by nl1-ss105.a2hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97.1) (envelope-from ) id 1sQefp-0000000G2kc-24TB for internals@lists.php.net; Mon, 08 Jul 2024 05:04:16 +0200 Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 To: internals@lists.php.net References: <6683CDE4.7050607@adviesenzo.nl> Message-ID: <668B5728.40300@adviesenzo.nl> Date: Mon, 8 Jul 2024 05:04:08 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------040400070102030007060103" X-AuthUser: juliette@adviesenzo.nl From: php-internals_nospam@adviesenzo.nl (Juliette Reinders Folmer) This is a multi-part message in MIME format. --------------040400070102030007060103 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 2-7-2024 20:05, Gina P. Banyard wrote: > On Tuesday, 2 July 2024 at 10:52, Juliette Reinders Folmer > wrote: >> On 25-6-2024 16:36, Gina P. Banyard wrote: >>> Hello internals, >>> >>> It is this time of year again where we proposed a list of deprecations to add in PHP 8.4: >>> >>> https://wiki.php.net/rfc/deprecations_php_8_4 >>> >>> As a reminder, this list has been compiled over the course of the past year by various different people. >>> >>> And as usual, each deprecation will be voted in isolation. >>> >>> We still have a bit of time buffer, so if anyone else has any suggestions, they are free to add them to the RFC. >>> >>> Some should be non-controversial, others a bit more. >>> If such, they might warrant their own dedicated RFC, or be dropped from the proposal altogether. >>> >>> >>> Best regards, >>> >>> Gina P. Banyard >>> >> Thanks for making those updates Gina! >> >> * While a number of proposals include an impact analysis (thank >> you!), a significant number of the proposals don't. >> It would be appreciated if for those proposals which aren't removing >> unused/unusable functionality, some sort of impact analysis was added. > > You will need to clarify which ones you are talking about. > These "bulk removal" RFCs are written by various authors over the > course of a year, and might not have been looked at for 9+ months. I'd suggest for an impact analysis/expected impact statement to be added to the following deprecation proposals: * session.sid_length and session.sid_bits_per_character * xml_set_object() and xml_set_*_handler() with string method names * Deprecate proprietary CSV escaping mechanism * Deprecate strtok() function * Deprecate returning non-strings values from a user output handler * Deprecate producing output in a user output handler * Deprecate mysqli_refresh() * Deprecate mysqli_kill() * Deprecate lcg_value() * Deprecate md5(), sha1(), md5_file(), and sha1_file() (add an actual analysis, not just a statement as this is a high impact proposal) * Deprecate passing E_USER_ERROR to trigger_error() * Deprecate SOAP_FUNCTIONS_ALL constant and passing it to SoapServer::addFunction() And to a lesser degree for: * Formally deprecate Soft-deprecated DOMDocument and DOMEntity properties * Deprecate SplFixedArray::__wakeup() * Deprecate passing null and false to dba_key_split() * Deprecate passing incorrect data types for options to ext/hash functions * Constants SUNFUNCS_RET_STRING, SUNFUNCS_RET_DOUBLE, SUNFUNCS_RET_TIMESTAMP * Remove E_STRICT error level and deprecate E_STRICT constant * mysqli_ping() and mysqli::ping() P.S.: typo in "xml_set_object() and xml_set_*_handler() with string method names": "witch" => "which" >> Other than that, I join the previously voiced objections to the >> deprecation of `uniqid()`, `md5()`, `sha1()`, `md5_file()`, >> `sha1_file()`. >> While I acknowledge that these functions _can_ be used >> inappropriately for security-sensitive code, which should use >> alternative methods, these functions have perfectly valid use-cases >> for non-security-sensitive code and the impact of the BC-break of >> deprecating and eventually removing these methods can, IMO, not be >> justified. >> Keep in mind that while "we" know and understand that deprecations >> are not errors, end-users often don't and particularly for open >> source projects, this means that in practice these deprecations will >> need to be addressed anyway to reduce the noise of users opening >> issues about them, which without a clear path to removal of the >> functions, will, in a lot of cases, mean adding the `@` operator to >> all uses. > > If I may be a bit cheeky, if we consider that userland does not > understand that deprecations are not errors, how can we trust them to > use the 5 aforementioned functions correctly? > Especially as there are more appropriate replacements available. There is a difference between "userland" (dev-users) and end-users. I was talking about end-users, while based on your remark, you are talking about dev-users. I also don't agree that there are "more appropriate replacements available". The suggested `hash()` replacements for the md5/sha1* functions have the exact same functionality, which the RFC considers "incorrect use", so what are we actually solving by this deprecation ? Devs not having enough to do already ? The problem (for open source) with "force-replacing" the uses of `md5/sha1*` functions with the `hash` function calls, is that the hash extension was not part of PHP core until PHP 7.4, which means that for a significant number of open source projects, the replacement is not a one-on-one function call replacement, but needs guard code for PHP < 7.4 in case the hash extension is not available. Also, having read through the RFC a second time, I find the voting choices inconsistent - in particular the first deprecation vote, which makes the others ambiguous. Could each voting choice please be explicitly one of the below to prevent any confusion ? * Remove in PHP 8.4 * Deprecate in PHP 8.4 and remove in PHP 9 * Deprecate in PHP 8.4 and remove at a later date after a separate vote Smile, Juliette --------------040400070102030007060103 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
On 2-7-2024 20:05, Gina P. Banyard wrote:
On Tuesday, 2 July 2024 at 10:52, Juliette Reinders Folmer <php-internals_nospam@adviesenzo.nl> wrote:
On 25-6-2024 16:36, Gina P. Banyard wrote:
Hello internals,

It is this time of year again where we proposed a list of deprecations to add in PHP 8.4:

https://wiki.php.net/rfc/deprecations_php_8_4

As a reminder, this list has been compiled over the course of the past year by various different people.

And as usual, each deprecation will be voted in isolation.

We still have a bit of time buffer, so if anyone else has any suggestions, they are free to add them to the RFC.

Some should be non-controversial, others a bit more.
If such, they might warrant their own dedicated RFC, or be dropped from the proposal altogether.


Best regards,

Gina P. Banyard


Thanks for making those updates Gina!


* While a number of proposals include an impact analysis (thank you!), a significant number of the proposals don't.
It would be appreciated if for those proposals which aren't removing unused/unusable functionality, some sort of impact analysis was added.

You will need to clarify which ones you are talking about.
These "bulk removal" RFCs are written by various authors over the course of a year, and might not have been looked at for 9+ months.

I'd suggest for an impact analysis/expected impact statement to be added to the following deprecation proposals:
* session.sid_length and session.sid_bits_per_character
* xml_set_object() and xml_set_*_handler() with string method names
* Deprecate proprietary CSV escaping mechanism
* Deprecate strtok() function
* Deprecate returning non-strings values from a user output handler
* Deprecate producing output in a user output handler
* Deprecate mysqli_refresh()
* Deprecate mysqli_kill()
* Deprecate lcg_value()
* Deprecate md5(), sha1(), md5_file(), and sha1_file() (add an actual analysis, not just a statement as this is a high impact proposal)
* Deprecate passing E_USER_ERROR to trigger_error()
* Deprecate SOAP_FUNCTIONS_ALL constant and passing it to SoapServer::addFunction()

And to a lesser degree for:
* Formally deprecate Soft-deprecated DOMDocument and DOMEntity properties
* Deprecate SplFixedArray::__wakeup()
* Deprecate passing null and false to dba_key_split()
* Deprecate passing incorrect data types for options to ext/hash functions
* Constants SUNFUNCS_RET_STRING, SUNFUNCS_RET_DOUBLE, SUNFUNCS_RET_TIMESTAMP
* Remove E_STRICT error level and deprecate E_STRICT constant
* mysqli_ping() and mysqli::ping()


P.S.: typo in "xml_set_object() and xml_set_*_handler() with string method names": "witch" => "which"

Other than that, I join the previously voiced objections to the deprecation of `uniqid()`, `md5()`, `sha1()`, `md5_file()`, `sha1_file()`.
While I acknowledge that these functions _can_ be used inappropriately for security-sensitive code, which should use alternative methods, these functions have perfectly valid use-cases for non-security-sensitive code and the impact of the BC-break of deprecating and eventually removing these methods can, IMO, not be justified.
Keep in mind that while "we" know and understand that deprecations are not errors, end-users often don't and particularly for open source projects, this means that in practice these deprecations will need to be addressed anyway to reduce the noise of users opening issues about them, which without a clear path to removal of the functions, will, in a lot of cases, mean adding the `@` operator to all uses.

If I may be a bit cheeky, if we consider that userland does not understand that deprecations are not errors, how can we trust them to use the 5 aforementioned functions correctly?
Especially as there are more appropriate replacements available.

There is a difference between "userland"  (dev-users) and end-users. I was talking about end-users, while based on your remark, you are talking about dev-users.

I also don't agree that there are "more appropriate replacements available".
The  suggested `hash()` replacements for the md5/sha1* functions have the exact same functionality, which the RFC considers "incorrect use", so what are we actually solving by this deprecation ? Devs not having enough to do already ?
The problem (for open source) with "force-replacing" the uses of `md5/sha1*` functions with the `hash` function calls, is that the hash extension was not part of PHP core until PHP 7.4, which means that for a significant number of open source projects, the replacement is not a one-on-one function call replacement, but needs guard code for PHP < 7.4 in case the hash extension is not available.


Also, having read through the RFC a second time, I find the voting choices inconsistent - in particular the first deprecation vote, which makes the others ambiguous.
Could each voting choice please be explicitly one of the below to prevent any confusion ?
* Remove in PHP 8.4
* Deprecate in PHP 8.4 and remove in PHP 9
* Deprecate in PHP 8.4 and remove at a later date after a separate vote


Smile,
Juliette --------------040400070102030007060103--