Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124438
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 8CC101A00B7
	for <internals@lists.php.net>; Mon, 15 Jul 2024 20:52:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1721076852; bh=a/py4RWRjiqaN/zTGmOdwu38VXr6rOJ2gAdIbTBXneg=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=Kt8UamDWz67lP8RCLUX1C5s48/2iP0KzjuNSXmf988FNJqd7EX9Pvj5Lid+y/1nst
	 23cWVqTHASWPG7BuBz04AwDGgo6rWB1Fac38bKXvsCquZ+oq5YNRpy+X5AohYJO2y9
	 F3tzpwyiyKa7Gtr9vQEg9bieX9hALwqqkFkHYvSP4QO3WSTjE8hDSQj8amyK79C8ht
	 9MDfnVtzJYOMCqCeSTRM3b0oJC8KdAtQvp+ezvoQpVcLGv4c8GGbrGXJD7luF+HxX8
	 aYBAOpvdeO9J0GPK9in9A/U+SEL3/64FUvse0y4I4N941PFtYSPSLj+TTV4W9BbeyZ
	 /7RaBFSxIeAyA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 83EC21801D7
	for <internals@lists.php.net>; Mon, 15 Jul 2024 20:54:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 15 Jul 2024 20:54:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1721076760;
	bh=29EF11nSMHawXIAxucoqhtbdniWC98bSPF3GgA1D2b4=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=ZU6m4LvZCH+zGJzEklIM6GrBczYmqt4a6kXxfDr/A1ss/AvlLGWqE+saZfPAz/rBB
	 0MydFgAzyisz4D69sB8O2cpHHLbJt9zuztwhARxMeKKODcdbun0g6ntihnbYuxiuof
	 1QLx9xcDJAnYDCaiKdHCxy+L7GDUMz8YkiqlovsLSUgphH4C65ysRIhmJEBqedwnlc
	 tp8JYQwTDArgyE59V8/kG77jzF1LvOyCBErtUbC/pi2S6AvP/k+L79QcHKx3uEXEl0
	 I8K50FAxLceL1SJ2/YJekgLSNqHyJSa8SpaxwvMvgKI49sIrdhp25w+1v/qAze1iVn
	 LW1zMog1kPORg==
Message-ID: <0648d816-02c9-4033-a340-9934ba3de6d4@bastelstu.be>
Date: Mon, 15 Jul 2024 22:52:38 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4
To: internals@lists.php.net
References: <bw20I5b7ly3lSbI-2Bv3kfrfTVJbDo5RhwBiQa1PEwuLjprDJWptPajLiaialj1RLVKu7z1j0MofJUhhRVtzT_5i2E11oKeQx_VMUxnKhUE=@gpb.moe>
 <6683CDE4.7050607@adviesenzo.nl>
 <Skh-IB3l7OxslclNZdB5ZE3G5PaIvpoz3iojK10noNbXkj1odNNvzI5w7X1aSj7IKZ951646yQ8IrUW_wNaQuv94NB0jo3IXlFImcpu_hxc=@gpb.moe>
 <668B5728.40300@adviesenzo.nl>
 <4cf169f4-e222-4140-aef7-20eb5b871d32@heigl.org>
 <668B73B6.7070509@adviesenzo.nl>
 <7a86d94a-bacb-4f72-9eb2-da89b5fc0f13@heigl.org>
Content-Language: en-US
In-Reply-To: <7a86d94a-bacb-4f72-9eb2-da89b5fc0f13@heigl.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=)

Hi

On 7/8/24 07:25, Andreas Heigl wrote:
>> I don't mind putting the work in when there is a good justification, but
>> I don't see one for this deprecation.
> The only one I can see is cleaning up the codebase and removing
> duplicate methods.
> 
> But the RFC definitely states that it is to "encourage users to use a
> secure hash functions, instead of using an insecure algorithm"
> 
> Which is fine. But I am totally with you that deprecating a function by
> encouraging users to use the same insecure algorithm via a different
> function is ... an interesting take to say the least.
> 

Gina already mentioned it in the long email from earlier today, but for 
reference:

The intention is that the users do not perform a mindless search and 
replace, but instead use the opportunity to re-evaluate the choice on a 
case by case basis.

Cleaning up the codebase is not a concern, because the implementation of 
the functions is trivial.

However cleaning up the documentation and API surface *is* something 
that is useful. As an example it is easier for the (inexperienced) user 
to navigate the documentation, because all the hashing functionality is 
available by the standard 'hash' functions. It also makes maintaining 
the documentation easier. As an example a few months ago, I updated all 
the examples to no longer showcase 'md5' and instead showcase the usage 
of 'sha256':

https://github.com/php/doc-en/commit/20dcfbb0dd7150cbe5dfd7903a3001229295c549

Of course the functions still support MD5, but now the documentation 
shows current best practices. Anyone whom I trust to use MD5 safely, I 
also trust to understand how to use it by means of the hash() function 
and for all the others the examples will be helpful in writing safer code.

Also once the users migrated to the hash() function, they will be able 
to switch out algorithms much more easily going forward, because the 
algorithm choice can easily be stored in a central configuration and 
passed as a string. (no, no one calls functions using a dynamic name).

In other words, the goal of the proposal is the anticipated positive 
downstream effects in overall ecosystem safety and simplified learning 
curve for new PHP developers.

Best regards
Tim Düsterhus