Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124432 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 518BC1A00B7 for ; Mon, 15 Jul 2024 14:13:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721052883; bh=suNmQN0zWDpGhuEeZ89qG1RAewEP3BSCxisFHPbB9VQ=; h=In-Reply-To:References:Date:From:To:Cc:Subject:From; b=UuflRa1L6EIaNbSEaqg1GHvkSj72CD2NU48W9yo+gij711CJjM13nTUrOD6pS6alr HEeowj2I7jEBlLyGfeYf14181hS2MvLg2TVi2eXzWSuYjTy74BhgOjvg5xZV9Kf1P/ eNAIFAXWRCfUmHD+iz53qs768RgG/zztnEj+BOcQMRzj0lNgDq0aG4Bnx9nivkHC8R wQunlExONeqGcrRbMpkHxx40H8TfxOXRAyV5JH+UN9MN3Sl1UxVJOSEMvaJQQe9n0Q kZa7jllPMOjU3H7SSSrAcETqfTO+XUqjAxv86gGNTcVm0pMnmd7pzPx/TNZNx+ZYu5 yi7lVD6YcvZUQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0B89E18038E for ; Mon, 15 Jul 2024 14:14:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fout2-smtp.messagingengine.com (fout2-smtp.messagingengine.com [103.168.172.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 15 Jul 2024 14:14:42 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfout.nyi.internal (Postfix) with ESMTP id 238D71388A8B; Mon, 15 Jul 2024 10:13:13 -0400 (EDT) Received: from imap49 ([10.202.2.99]) by compute1.internal (MEProxy); Mon, 15 Jul 2024 10:13:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1721052793; x= 1721139193; bh=HhhRLboKRwP6qD/pn0BSzYZm1JlRT2BnquSsJ+85oBE=; b=X hACNsA9I1/Y+f8PR8mb0IY9kONH58nFG63RCBKqMjwBw7V71FOGXgr+qDfcaCyKW ygHqT6BPJ8NuaGZBHM9XDDTQqsAuZcCWsYNFejbj5u0kYAFi5g2f4E7GWzT5Pbwf 6ttGnTXvBxdJGcrdazQHNnPeAUd9QZWRx/GGV29oT/wmdbMznZAxHu0LMzeolQ7g T04ae7ooE9oRC7NSrwTOojmZ/RIFq9gn5iJoHIvJw2aKGu4UM7l/FSrc3ZQYuLRW /fJ1PGlPnH4CVw/JGpC/sM0DLSV9ZKW9knM4k98RRdaOmipAcE4mh1qSG7z/DxsX TJgw6RB9PcOtQwpRA5Aug== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1721052793; x=1721139193; bh=HhhRLboKRwP6qD/pn0BSzYZm1JlR T2BnquSsJ+85oBE=; b=vzoVuOpGoNmAZNTGyv/1CY2LqDmb+bHX0gFfPs1BVYEM WAvFh932BbUqwDeC4TkyXvs41d9CyzuPXo/rZKTOvB+gC9ph9frh7zkWkhG0b86R XS3dKdrnfGyC2vGl6v2TRi+UaZx5Epl9qxrXhUXdHJZlBHO6rBX0dRJy5ht09iQF 756fWdXrvccF9pC/P2eqkOoPNOM1Jcj2MAlUKtSq8xA0URimN3a5NU6xdPaLyqI6 yKpcQoE9b944klVV+wFkn+ZBV6MVS3IoPoyfiuWQ4otzNM2l1HOCZ22qz03oSvk3 J3spO/rzVWNrYP5lz2BR7KO7oGN4zd711d7cTU20bQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrgedvgdejfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvfevufgtsegrtd erreerreejnecuhfhrohhmpedftfhosgcunfgrnhguvghrshdfuceorhhosgessghothht lhgvugdrtghouggvsheqnecuggftrfgrthhtvghrnhepvdehkeetleevteefveegkefgff dvuefhleevhedvteeigfegtdefjeehtefghfeunecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheprhhosgessghothhtlhgvugdrtghouggvsh X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 4F08415A0092; Mon, 15 Jul 2024 10:13:11 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-568-g843fbadbe-fm-20240701.003-g843fbadb Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Message-ID: In-Reply-To: <3XlxyoEWXN5MLqWhlh4uQMXGc2DRs7OH72f_InABxrhsBVTZIPOrfO3qEKqG94844M2r3FUS_zGMa60dENgvLP6TC8zOWZASkN6w6ZxsaxM=@gpb.moe> References: <6683CDE4.7050607@adviesenzo.nl> <668B5728.40300@adviesenzo.nl> <3XlxyoEWXN5MLqWhlh4uQMXGc2DRs7OH72f_InABxrhsBVTZIPOrfO3qEKqG94844M2r3FUS_zGMa60dENgvLP6TC8zOWZASkN6w6ZxsaxM=@gpb.moe> Date: Mon, 15 Jul 2024 16:12:47 +0200 To: "Gina P. Banyard" , "Juliette Reinders Folmer" Cc: internals@lists.php.net Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 Content-Type: multipart/alternative; boundary=22413b32aa824842b6cd4b3efa621bd9 From: rob@bottled.codes ("Rob Landers") --22413b32aa824842b6cd4b3efa621bd9 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable On Mon, Jul 15, 2024, at 13:20, Gina P. Banyard wrote: > On Monday, 8 July 2024 at 04:04, Juliette Reinders Folmer wrote: > > On 2-7-2024 20:05, Gina P. Banyard wrote: > >> On Tuesday, 2 July 2024 at 10:52, Juliette Reinders Folmer wrote: > >> > >>> * While a number of proposals include an impact analysis (thank yo= u!), a significant number of the proposals don't. > >>> It would be appreciated if for those proposals which aren't removi= ng unused/unusable functionality, some sort of impact analysis was added. > >> > >> You will need to clarify which ones you are talking about. > ... snip big ... >=20 > > I also don't agree that there are "more appropriate replacements ava= ilable". > > The suggested `hash()` replacements for the md5/sha1* functions have= the exact same functionality, which the RFC considers "incorrect use", = so what are we actually solving by this deprecation ? Devs not having en= ough to do already ? > > The problem (for open source) with "force-replacing" the uses of `md= 5/sha1*` functions with the `hash` function calls, is that the hash exte= nsion was not part of PHP core until PHP 7.4, which means that for a sig= nificant number of open source projects, the replacement is not a one-on= -one function call replacement, but needs guard code for PHP < 7.4 in ca= se the hash extension is not available. >=20 > Reiterating what I said previously, replacing it with the one-to-one e= quivalent should only be done if you truly need those specific algorithm= s. > Otherwise its usage should be reconsidered depending on the requiremen= ts and switched to something "safer". > Hopefully this is clearer now that Tim amended the RFC. This always gets me. "safer" doesn't have a consistent meaning. For exam= ple, if you were to want to create a "content addressable address" using= a hash and it needs to fit inside a 128 bit number (such as a GUID), yo= u may be tempted to take SHA-X and just truncate it. However, this biase= s the resulting numbers, which this bias may be considered unsafe (such = as using it in an A/B testing tool). Just because you have a short hash,= doesn't make it "unsafe" as longer hashes can also be considered "unsaf= e." What people usually mean by this is in the context of encryption, an= d in those cases it is unsafe, but in the context of non-encryption, usa= ge of truncated larger hashes is just as unsafe. =E2=80=94 Rob --22413b32aa824842b6cd4b3efa621bd9 Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: quoted-printable

=

On Mon, Jul 15, 2024, at 13:20, Gina P. Banyard wrot= e:
On= Monday, 8 July 2024 at 04:04, Juliette Reinders Folmer <php-internals_nospam@adviesenzo.nl> wrot= e:
> On 2-7-2024 20:05, Gina P. Banyard wr= ote:
>> On Tuesday, 2 July 2024 at 10:5= 2, Juliette Reinders Folmer <php= -internals_nospam@adviesenzo.nl> wrote:
>>
>>> * While a number of p= roposals include an impact analysis (thank you!), a significant number o= f the proposals don't.
>>> It would = be appreciated if for those proposals which aren't removing unused/unusa= ble functionality, some sort of impact analysis was added.
>>
>> You will need= to clarify which ones you are talking about.
 = ;... snip big ...

> I also don't a= gree that there are "more appropriate replacements available".
> The suggested `hash()` replacements for the md5/s= ha1* functions have the exact same functionality, which the RFC consider= s "incorrect use", so what are we actually solving by this deprecation ?= Devs not having enough to do already ?
> = The problem (for open source) with "force-replacing" the uses of `md5/sh= a1*` functions with the `hash` function calls, is that the hash extensio= n was not part of PHP core until PHP 7.4, which means that for a signifi= cant number of open source projects, the replacement is not a one-on-one= function call replacement, but needs guard code for PHP < 7.4 in cas= e the hash extension is not available.

Reiterating what I said previously, replacing it with the one-t= o-one equivalent should only be done if you truly need those specific al= gorithms.
Otherwise its usage should be recon= sidered depending on the requirements and switched to something "safer".=
Hopefully this is clearer now that Tim amend= ed the RFC.

This always= gets me. "safer" doesn't have a consistent meaning. For example, if you= were to want to create a "content addressable address" using a hash and= it needs to fit inside a 128 bit number (such as a GUID), you may be te= mpted to take SHA-X and just truncate it. However, this biases the resul= ting numbers, which this bias may be considered unsafe (such as using it= in an A/B testing tool). Just because you have a short hash, doesn't ma= ke it "unsafe" as longer hashes can also be considered "unsafe." What pe= ople usually mean by this is in the context of encryption, and in those = cases it is unsafe, but in the context of non-encryption, usage of trunc= ated larger hashes is just as unsafe.

=E2=80=94 Rob
--22413b32aa824842b6cd4b3efa621bd9--