Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124431
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 648361A00B7
	for <internals@lists.php.net>; Mon, 15 Jul 2024 13:56:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1721051894; bh=YM9lmtTJN8Vb7CpqN6YYD86LNrMrnLJzPuvTKwUjoAY=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=SoMdLkG3M/VBQPJinCzRyuAnn7Kz3Ss+EkxQXZcUxgZMujHDeDI3rTdOBjtRV6OGp
	 sr4WtVzouzgoyvoGjcH9T0aLl+MIc862wAUpgCnDO7hek6KrAgMDovGnUN8GNupOyw
	 XEHv59Z7v/gzRsOUwRyZyxJBeiggp++T4gWMDMUkGO68q4+4DIyhG0ZBAKNF2f/2i8
	 jIntFtQqsDkw94PoDcEzPtuvBrTIuhWOXHafIvZO4lZby9csOgembask01i8rp6wZH
	 urito9yYW7hP5GvifCmpzVutJFHc9Gcgq/zRFrQmi+K+zdKy8hOK5TnLZM5winq31B
	 vfTuytamdk0tw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 49F0C18004B
	for <internals@lists.php.net>; Mon, 15 Jul 2024 13:58:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <cmbecker69@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 15 Jul 2024 13:58:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de;
	s=s31663417; t=1721051801; x=1721656601; i=cmbecker69@gmx.de;
	bh=XH86+7TvF21XvoiW/lMz8/l3PoqCQt8ho8xpqBYj1Sg=;
	h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:
	 References:From:In-Reply-To:Content-Type:
	 Content-Transfer-Encoding:cc:content-transfer-encoding:
	 content-type:date:from:message-id:mime-version:reply-to:subject:
	 to;
	b=FJip393jJKDB5i9cWpgGD5nIgyq2nT3Rb/acmp2Qi/VDbhb/ty9m4Qn6gtcFAh2A
	 rmlcy3glfSAFAEJwAXpBZ3SUpPZ5AUJ6IdookaE67W0v+ub+gO88kaDHNq3LZPG1J
	 ElmW1Tsm/4jl2Jqc0kbfCMrIcuJoIQcIrwvzNcZS0K0M9t2TvqVlMaSfId/1ZOo7R
	 1VOg2p0QsgAuqYgFm36wyZfI4RrfHcLp0MTCZox6tIjGdokhu7dSZYCu4Qqcigoo7
	 aUJTNy56/JMwI46sNlpFpU3RvGRht/H4Ux++X4jk7m3jICAT+pmhEUBpMEj0M6Qtu
	 0HMm0Gg7Rdm5G9dbFQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.2.130] ([79.251.222.223]) by mail.gmx.net (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MatRT-1rwlGM3F1f-00kCyv; Mon, 15
 Jul 2024 15:56:41 +0200
Message-ID: <61cbb650-17d7-4dbf-a73b-8265d6af2d4f@gmx.de>
Date: Mon, 15 Jul 2024 15:56:42 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4
Content-Language: de-DE
To: Juliette Reinders Folmer <php-internals_nospam@adviesenzo.nl>,
 internals@lists.php.net
References: <bw20I5b7ly3lSbI-2Bv3kfrfTVJbDo5RhwBiQa1PEwuLjprDJWptPajLiaialj1RLVKu7z1j0MofJUhhRVtzT_5i2E11oKeQx_VMUxnKhUE=@gpb.moe>
 <6683CDE4.7050607@adviesenzo.nl>
 <Skh-IB3l7OxslclNZdB5ZE3G5PaIvpoz3iojK10noNbXkj1odNNvzI5w7X1aSj7IKZ951646yQ8IrUW_wNaQuv94NB0jo3IXlFImcpu_hxc=@gpb.moe>
 <668B5728.40300@adviesenzo.nl>
In-Reply-To: <668B5728.40300@adviesenzo.nl>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:Czy1sRwg7RJe1Q2ZOayjCoCVkIJy08joD2KdJOkNcjxDgVIpotr
 1YAOMW3900n8+eI5/rL5tLEDMs6j7tPQzbXIcmMFu6JPcHU32mmMSdce1QPIeurH1KxceCn
 mNLxqQ0zkrC/cOvX7iejEnQmC8JWAga0Sor5MGJLG/lN0adRADOUQq2jmnTo36AwLJZY1hl
 s1hsKxiYfIf7OTQwcqExw==
UI-OutboundReport: notjunk:1;M01:P0:BaLD/weVKes=;MoGw15POcL9N/PVbePf5DHqUZtM
 643SUbU9QOOzvdDGfBlxHip5qbK6X5Bf/lVRKLDB96gIXSU8ue2zbdTkI68QjN6LrqMWnRLmp
 AwuX+4b6mdwLLgEjsEIm7XFjkY6T7cAdBPDZKZx4ku5M07FTKS1NAMnitcL7jg+31usuRfI2/
 yxmWqvsH+J08k0TnJWxvL27p/+fefy5f8m23SEGaBfvqSXfSVvqJGRsgvHUo+A47ZKEQBLlfE
 MzA+AQd4u2g4PgGjIWRudlHiSpGmJP0lJqbiZQoYnHLrZh7rnhs7k0JyutnZhVHtSlxbESrJV
 mPmJdU9+bTlYo3qtWn8yZOaL5CedNMyeJIuDKF13WzeJcuy580IdeWMTJ03Ro7TsPsZ29NGGR
 cdk0PxasajMoJKwF8lL4VvUwST8WgA7wNlvt04cJ0BTr4JahYcDGuS74rWPEDcEsccSDjoAek
 80/pDC1ULd8RH2QrvWQvmER0idxd5C3Snk5Y44kNUwuC6GwckpjB05R/XCawqFXdnTIhkXibc
 HPcZv+ystyCCKiwLUEKjcGHNtp/0HcJWvuGGtUUVFxjodDG++lsBF0FQQT+2U6nvpnijELMma
 +dsAc+ITeAVUR8fZbDWe+ztq8dLJsrVxecr+tSFhiQweZmuH95igKeKQEkSDv1dqAHgMJTF5y
 INUfNua8fg49UpCL8jpkOPU+g4tZekG8iO0CdnmoDJnNS1Plq+fPB/TtMhUudQhJfldMUTF57
 Ixgcb2tFUkJ0ZuIkkpFSN383EHd4B0xK0b9ckfq4PkuxzRcnY2m/9Ebjl9qSDi5i6SwyiImi+
 BSx8aTJXRU0M3bg1J4B+xnBCAXk5JJl8lm7g30ZnWWfMQ=
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 08.07.2024 at 05:04, Juliette Reinders Folmer wrote:

> On 2-7-2024 20:05, Gina P. Banyard wrote:
>
>> On Tuesday, 2 July 2024 at 10:52, Juliette Reinders Folmer
>> <php-internals_nospam@adviesenzo.nl> wrote:
>>
>>> Other than that, I join the previously voiced objections to the
>>> deprecation of `uniqid()`, `md5()`, `sha1()`, `md5_file()`,
>>> `sha1_file()`.
>>> While I acknowledge that these functions _can_ be used
>>> inappropriately for security-sensitive code, which should use
>>> alternative methods, these functions have perfectly valid use-cases
>>> for non-security-sensitive code and the impact of the BC-break of
>>> deprecating and eventually removing these methods can, IMO, not be
>>> justified.
>>> Keep in mind that while "we" know and understand that deprecations
>>> are not errors, end-users often don't and particularly for open
>>> source projects, this means that in practice these deprecations will
>>> need to be addressed anyway to reduce the noise of users opening
>>> issues about them, which without a clear path to removal of the
>>> functions, will, in a lot of cases, mean adding the `@` operator to
>>> all uses.
>>
>> If I may be a bit cheeky, if we consider that userland does not
>> understand that deprecations are not errors, how can we trust them to
>> use the 5 aforementioned functions correctly?
>> Especially as there are more appropriate replacements available.
>
> There is a difference between "userland"=C2=A0 (dev-users) and end-users=
. I
> was talking about end-users, while based on your remark, you are talking
> about dev-users.

To clarify, by end-users you are referring to users who install and
"operate" (open-source) software on (shared) hosting.  If so, indeed
they may stumble upon deprecation notices, and from my (limited)
experience, they will report that as issue, unless the software
developers release a new version which does not trigger these
deprecation notices.  This is unfortunate, but I really do hope that
these developers only use the shut-up operator when all else fails, and
that they remove it as soon as possible.  Yeah, even more work, but that
is what you are sometimes not paid for. ;)

> I also don't agree that there are "more appropriate replacements
> available".
> The=C2=A0 suggested `hash()` replacements for the md5/sha1* functions ha=
ve
> the exact same functionality, which the RFC considers "incorrect use",
> so what are we actually solving by this deprecation ? Devs not having
> enough to do already ?
> The problem (for open source) with "force-replacing" the uses of
> `md5/sha1*` functions with the `hash` function calls, is that the hash
> extension was not part of PHP core until PHP 7.4, which means that for a
> significant number of open source projects, the replacement is not a
> one-on-one function call replacement, but needs guard code for PHP < 7.4
> in case the hash extension is not available.

Well, I don't think it's hard to deal with deprecations for which
alternatives are easily available.  Just replace all e.g. md5() calls
with something namespaced, and define that function depending on the PHP
version.

With regard to md5() and sha1() my first though was that we easily could
keep them as aliases.  However, the RFC explains that it might be a good
idea to *reconsider* the use cases, and that is a good idea, in my opinion=
.

I do not, however, agree with the reasoning that a function (like
uniqid()) is often used in a unsafe way (i.e. for purposes it has not
been designed), and therefore should be deprecated/removed.  There are
likely a couple of developers who are easily rolling their own
implementation which can be way worse.  I've seen "encryption" code
which was basically a Caesar cipher, spiced with some obsure function
calls to make it "even more safe".  And I've seen obscure HTML escaping
code with an not so obvious back-door, that was once available as user
note on php.net.

That doesn't mean that I'm against the uniqid() deprecation, especially
if the deprecation message is clear on what to use instead.

Cheers,
Christoph