Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124593
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id DBF891A00B7
	for <internals@lists.php.net>; Thu, 25 Jul 2024 21:34:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1721943349; bh=e+7pSIJb0bW31QK5VnCxFeSY4fjg32WANopQE5LWehc=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=GcVtit3Gqm5V2Qkjwh4BqVx+1q+mLzPKxs8wWpbov8tflkg7x65vnQ4pQWcltLNMr
	 XgHxwLupicZQu53KwKRM0EFGa8fxSUOLFy9XTCcycP5PKSgcNqwhmgH8HRiausWgeU
	 0JnAKlwb0/0VxeGPhck5hXjn5WeqDZ7S8x6Fp64xdUGStAokgV/RbwmPlsNP2bHZET
	 ckahfIZIfT9dKcwMQqHsUxXZ1t92GsAdPgD8OmSMPeDkzmTGOXWPANVY5HMizcxLVl
	 whRGdXVVpP++8vJxUQZ68DajfwbmhEhWr1/X9tWk+KXrPlGvseXazkb352086aF0I/
	 fPWUrs4Kz34sQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 42A821801D6
	for <internals@lists.php.net>; Thu, 25 Jul 2024 21:35:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <imsop.php@rwec.co.uk>
Received: from fhigh8-smtp.messagingengine.com (fhigh8-smtp.messagingengine.com [103.168.172.159])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 25 Jul 2024 21:35:47 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailfhigh.nyi.internal (Postfix) with ESMTP id D1373114016B
	for <internals@lists.php.net>; Thu, 25 Jul 2024 17:34:11 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute2.internal (MEProxy); Thu, 25 Jul 2024 17:34:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rwec.co.uk; h=cc
	:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1721943251;
	 x=1722029651; bh=1EHvFf/+sTV29FhU0OdLquBzcfb9BbIbeufBQwtmkGY=; b=
	htBg0nuSrJa8sRKVANvA/2ftbs2CgOOY2XbZglxNsWh4Fr4KrsraXukLq1cDHe/i
	6hrYY2ymL8TKtIt1gJ3HbbAHzi2097xlLjezUeTvYFze8NI8Wh0nN0Fo+DzOs1mD
	Kf2Dv5aou17pGqLPFpoKLYDdo/N9W3jSXIZGo2Ai1ej2cDQYl9vN/eXo7KEz7IIz
	TqKE8FWPWtDrzX+WbLGrK+MQlQlYjiZNflVTl4T9B3eS76fQ0JND1V9o/gg56uBC
	krA8ucXtf8EVArRad8LqV2AaBzVZiZ3fT13rEjZGyGBx951iKJiWTndfIpfbN/uK
	ZMk60dYPsQDGNCKubvajaA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1721943251; x=
	1722029651; bh=1EHvFf/+sTV29FhU0OdLquBzcfb9BbIbeufBQwtmkGY=; b=P
	I/CVrx1sQuHza0chxS4+cLXXGOY/wU+CMa3h4VeM50bqSE9JXPUORj2uUhprUCAY
	JN4wNDIIwidpIjxpt634nE7aQ1gKCco1dUCcH/70tFRrQoh6fzxicaePFrTrpAX3
	TWe3MUppv5x8O+uqvJg1zqVycUcxV6f3keengj3PafgqHxn+04GDU4yZ1yjA9OJO
	FWtShpB8laUQxeyEGeARXDRgvkscX7G+6Mr4SQFWJ/pnhf3Jqso71SZgHlpEVGii
	uk6EzviaYe5Namh5l+xQ5Kb0GdiCQe4YTw2tisWXkllWMT/vaymSO9zQspFmTms5
	6ZxtSiHf0pptpODrwoG2Q==
X-ME-Sender: <xms:08SiZvLBAeUtRN7Htu0u0Oh1XnL4hEMf5gcXBqIDCSIsirVYFkWctQ>
    <xme:08SiZjIcDQXBjMhSKp16TaMtIF93BYJ6tNtmrwLVT1lEqc676Hso6taNvhQ0Zsmin
    780w7__Yprydd7WpF4>
X-ME-Received: <xmr:08SiZntFYj_BCu7mtczAvMq4StENoTuxLJ7AfGEPdOuecvNTOxFkmUB3sNXsH02GPfTBrlHwcvgQUJYePk4wOwdIX8uTOVURvRpBUiY5Z25BW8RLgH3EZxhQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrieefgdduieegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke
    ertddtvdejnecuhfhrohhmpedftfhofigrnhcuvfhomhhmihhnshculgfkoffuohfrngdf
    uceoihhmshhophdrphhhphesrhifvggtrdgtohdruhhkqeenucggtffrrghtthgvrhhnpe
    ffkeevudffuddvheejvdefkeelfedtudegfeehjeduheegieduffeggeegveefheenucev
    lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehimhhsohhprd
    hphhhpsehrfigvtgdrtghordhukhdpnhgspghrtghpthhtoheptd
X-ME-Proxy: <xmx:08SiZoaDi0PmNjvhLb8ha16uhA7zIy4354B_60cBH3Atey50dQtg6w>
    <xmx:08SiZmYoXcqWAqJrlaROWcPGDELViOvi-_2bVT52s71G1fQOUiog1A>
    <xmx:08SiZsBz5A6VNU2A3NCM3v8KNKbvNGfmv6AdA-i1Go-oB0aDWUg7NA>
    <xmx:08SiZkZa4T6dfHXk5--NypHDV7r5Txg4RMvi0EQqU7S2pE4sNL0HwA>
    <xmx:08SiZpw5YbOpIadn94PI_AmktvI0OPHvuzmVl384c87lqhmB7TcX7YJy>
Feedback-ID: id5114917:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <internals@lists.php.net>; Thu, 25 Jul 2024 17:34:10 -0400 (EDT)
Message-ID: <aa6bc7aa-28d9-40ca-974f-65075adb6199@rwec.co.uk>
Date: Thu, 25 Jul 2024 22:34:08 +0100
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
To: internals@lists.php.net
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net>
 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <c03eb187-bd21-4a4b-9faf-8d0243eaa994@varteg.nz>
Content-Language: en-GB
In-Reply-To: <c03eb187-bd21-4a4b-9faf-8d0243eaa994@varteg.nz>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
From: imsop.php@rwec.co.uk ("Rowan Tommins [IMSoP]")

On 24/07/2024 23:01, Morgan wrote:
> And they would still be available as hash("md5") and hash("sha1"); the 
> only reason they're called out as their own distinct functions today 
> is historical inertia. 


I don't agree that the reasons for including standalone functions are 
"historical". The RFC itself gives a good reason for having such functions:

 > Unfortunately these cryptographically secure hash functions are only 
available by means of the generic hash() function ... making using them 
more verbose and thus seemingly more complicated


Rather than force people to use functions that we acknowledge are hard 
to use, surely the logical thing is to make the "right" code *easy* to use?

Which means if we want people to use SHA-256, let's add a sha256() 
function to make it easy.


This is what password_hash() and password_verify() did right: the 
functionality was already there in crypt(), but it's hard to use, and 
harder to use correctly. Providing clearer functions, even though they 
do the same thing, helps new developers "fall into the pit of success".

The hash() function isn't quite as confusing as crypt(), but according 
to the manual, it currently supports 60 different algorithms, most of 
which I have never heard of. I'm aware that "sha256" is better than 
"sha1", but should I be aiming higher, and using "sha384", or maybe one 
of the four flavours of "sha3"? Then there's the fun-sounding 
"whirlpool", the faintly rude-sounding "snefru", and a bewildering 
fifteen flavours of "haval".

A new user being told "don't use sha1(), use hash() and pick from this 
list" is more likely to say "ah, there's sha1, jolly good" than spend an 
afternoon reading cryptography journals. There's no pit of success to 
fall into.


Regards,

-- 
Rowan Tommins
[IMSoP]