Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124564 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id A239D1A00B7 for ; Wed, 24 Jul 2024 03:59:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721793645; bh=3G0HwqIq2P7yLh0eIFPdo3ohwmARfQq04FtJpi/ldLQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Rf6GWxqpv3H+nuFXJCFqv/armlg0aZ95BL4jgQI8qDI+cXVxCAznZtlzNnxcgH0bK Vw7NIUyzEMTAgxXgdgxz29J6Mu+SiiMJ619p9qra2bfwoVBkkm556MEx216MAqkZ5K N0OLnUm2sESXCC43NKHqazJkniMtxYKCwadM5+0NTEwxMu6jFtRkWJojHU7AVa7wsk qT4maHAfgsvtmxVqpawEH40lJ/78uS1aAh7a/ga6fdmU/BAPZfuOwj3Ds+87gDyevi +fOgAbEDNDuWaPXjkRO275PDEYWmTxcQNZS8zz8NMwi4qIeyoPC9YUuJzScB5rx+6u ALQwCXzbK9Adg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A9A0218005D for ; Wed, 24 Jul 2024 04:00:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 24 Jul 2024 04:00:41 +0000 (UTC) Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-654cf0a069eso63930347b3.1 for ; Tue, 23 Jul 2024 20:59:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721793546; x=1722398346; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=B68/2QKhsHUOy+XemM8cm7zSB7PPK6f/VhDkuudpjCM=; b=XKBC6env9WqGGsdwkzsO3ZPlrBFlxVzS1Ey4sacfUMo9m5p1aC2bQxIp1azVtDALnf 14XOTCKG6Kh1r5yBwkhYm2R7K1EHmLNn+TUkLEa/0Q+qCH0jzN/R4oiyKFnopuO19lg6 Rp3jvrahGw2mHPHeLuFmr+4nYpUxbAh4X9ncc04bk02MraCsZYkWw12JeZ4GC0qdjVDu cyi8HDGCOQGymSadmnUhJ5WM2wSFR2hzLvPRxWpH24Tnx2nJx7rBXkH8dolDYzYjTVhL WazUss4tWYhXtPhGg4T7w/FFomVYU2ajzChM4UAAjyYz3Som6nTjwvU785LLzjXsE9rE zOzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721793546; x=1722398346; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=B68/2QKhsHUOy+XemM8cm7zSB7PPK6f/VhDkuudpjCM=; b=Xl/y6A2nU1jvYnCvTgAjYPUGXiLe8aItcotJlAsNF+d7Xc39IqAxDhe5IhfbfWD0kC jSBe91fOih++LX5qwRl0UpT3OR7JbA9l/aV89U8FVfUXDGT+gxMaAOmJPHYdVc7v7Myg WR9AZDrgJgBaE/V5227h9YwvC6Fo7i4wKJT2gX3ps9eg2w8lTSFejbzYPm7/mjtyTgPK bFkqxd2PrqgJ1P/NqJMnb0IsWVMh0vTeGYI1WXgra6rncuAl7HMiT57roVJet36WC181 OpVQr+eRlkrBbdMNV0QRD/YdQgDgV4IwEtqB7n+QBYa9xPD3YmLuJbE1tncQizCuO2uM GW2A== X-Gm-Message-State: AOJu0YxasXddM3tLEInFLOmWUKwclZrt09hTbepkLlC9utr1xyTv6etI wNgimUJn9OfzvRl9nNpqOX7yMY676bqW6NgRBeffGp58sc+t78gBPVNWB4sLrg/8TT3My34kNZF PV9Li4K/ndqu7wTQDHRWuzJ7QTXR7eC3BWeg= X-Google-Smtp-Source: AGHT+IEpKSK4LjEPIOMGhnnS9Ed8bpILd/pBmuJRwAQUdQQiOneYh+DRy1EP7PLOmdnp/pTge9TMmiU0C9FkcD83bKg= X-Received: by 2002:a05:690c:2e0d:b0:65f:86a2:b4c5 with SMTP id 00721157ae682-6727ce1e0dcmr9345107b3.31.1721793546297; Tue, 23 Jul 2024 20:59:06 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <1a88918e-e808-d778-45e1-53797660e093@php.net> In-Reply-To: <1a88918e-e808-d778-45e1-53797660e093@php.net> Date: Tue, 23 Jul 2024 20:58:56 -0700 Message-ID: Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: Derick Rethans Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000b42f27061df64cec" From: sarkedev@gmail.com (Peter Stalman) --000000000000b42f27061df64cec Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jul 22, 2024 at 9:06=E2=80=AFAM Derick Rethans wro= te: > - Deprecate md5(), sha1(), md5_file(), and sha1_file() (just says "large > impact") About 1.2 million. https://github.com/search?q=3D%28md5+OR+md5_file+OR+sha1+OR+sha1_file%29+la= nguage%3APHP+&type=3Dcode The proposed deprecation of these functions in PHP due to their cryptographic insecurities seems to overlook their valid non-cryptographic applications. If we consider the context, the scope of cryptographic usage is already quite specific. We're talking about end users who are rolling their own security implementations and are unaware of the security risks but somehow know how to use these functions without reading the documentation and warnings. The number of people who fall into this specific category is quite small. Yet, this change is being proposed for their sake. It's important to note that these same users could/will easily make other security mistakes regardless of this deprecation. On the other hand, who will be impacted by these deprecations? Potentially everyone, as these are included in many projects and in many vendor packages. It's busy work for the people who aren't affected. Sure, eventually, it will all be sorted out as CI warnings slowly subside because of this. Reasons such as GIT and most cloud storages using these functions should be enough to spare them. Example: https://rclone.org/overview/ The point is that there are several reasons in 2024 to use md5 and sha1. Granted hashing passwords isn't one, but we're past that as a community already. And for the few that aren't, I'd argue there is no saving. Thanks, Peter --000000000000b42f27061df64cec Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Jul 22, 2024 at 9:06=E2=80=AFAM D= erick Rethans <derick@php.net> = wrote:
- Deprecate md5(), sha1(), md5_file(), and sha1_file() (just says "lar= ge
=C2=A0 impact")

About 1.2 million.
https://github.com/search?= q=3D%28md5+OR+md5_file+OR+sha1+OR+sha1_file%29+language%3APHP+&type=3Dc= ode

The proposed deprecation of these functions in PHP due to the= ir cryptographic insecurities seems to overlook their valid non-cryptograph= ic applications. If we consider the context, the scope of cryptographic usa= ge is already quite specific. We're talking about end users who are rol= ling their own security implementations and are unaware of the security ris= ks but somehow know how to use these functions without reading the document= ation and warnings.

The number of people who fall into this specific = category is quite small. Yet, this change is being proposed for their sake.= It's important to note that these same users could/will easily make ot= her security mistakes regardless of this deprecation.

On the other ha= nd, who will be impacted by these deprecations? Potentially everyone, as th= ese are included in many projects and in many vendor packages.=C2=A0 It'= ;s busy work for the people who aren't affected.=C2=A0 Sure, eventually= , it will all be sorted out as CI warnings slowly subside because of this.<= /p>

Reasons such as GIT and most cloud storages using these functions sho= uld be enough to spare them. Example:=C2=A0https://rclone.org/overview/

The point is that there are= several reasons in 2024 to use md5 and sha1. Granted hashing passwords isn= 't one, but we're past that as a community already. And for the few= that aren't, I'd argue there is no saving.

Thanks,
Peter<= /p>

--000000000000b42f27061df64cec--