Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124595
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 01B181A00B7
	for <internals@lists.php.net>; Thu, 25 Jul 2024 22:22:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1721946235; bh=hvZiXBk7GYpkS1k43Gl3r6AK954gk/t8Qc4bxZHK9DQ=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=L3fxFHVL8zaTqBDXujCHU9UPXH/Wqg6xBqYHNuBa2UEd63SEl4GxIRr0iHEey9iU0
	 Ju++RMseYrhzf2nxRPXk7HWlQr3v+ZaJMOSedqKHxcXNLkeO4jgUrvIJcXFiZlQVqD
	 GkFpZ1yXJfoU09WIrOcvaq8kIwIc/AxOd4ftE5xGgd3HFD3zqcIA58Xgb4V+Ibaijg
	 lIelfRIAWBWOKG7ZNpLu0UZgH4r076lahXbJ7Y2Fr/9RLb44WYRs2agzkgRK0T3VMX
	 GlAA/uhC/UU++TS9OmMvLpuq01qW6Mzvw8CaynBsI6jWEzcSYygj4J5ADRxuYKVF68
	 XRjg/8X4gyZWw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id ACAAF18003F
	for <internals@lists.php.net>; Thu, 25 Jul 2024 22:23:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DMARC_MISSING,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no
	autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <mike@newclarity.net>
Received: from mail-yb1-f176.google.com (mail-yb1-f176.google.com [209.85.219.176])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 25 Jul 2024 22:23:54 +0000 (UTC)
Received: by mail-yb1-f176.google.com with SMTP id 3f1490d57ef6-e0857a11862so1337263276.1
        for <internals@lists.php.net>; Thu, 25 Jul 2024 15:22:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=newclarity-net.20230601.gappssmtp.com; s=20230601; t=1721946138; x=1722550938; darn=lists.php.net;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=UF3i+06RLDCL/IdAl6FjRbSPJ6o2Rr113ZocUbsLiso=;
        b=piXYzeuvgLx776bkn81zWgWfb9IjBxNtJSZXSSkGm/8KQ09QVVRdQevo1pRVPC4jUb
         MQmnpCfL4DDI/ZvinnSBNLubP1Fv9UcJexnS7NGhnI1Hc2UWfISSSeOU2pnuD3xam4vG
         Er9/4+uSssGUEAgK9gf85XvQk+6heE946cFf85d+mazVguoz5dBQkGR2cG79oLG+yhcT
         54EUL+1rEc9PSi0p24oJ/QyPHPS3TQvAN6qPLTT/iYvJJWZlK68rwrGAYhGQsOcV5Ln8
         PifCC6XQrmT+wb+lbYGXiIjxA4J8tMUbqs9n9PLr+j+DFj8Jea26tG9PAaKMRULxbPnw
         MJYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721946138; x=1722550938;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=UF3i+06RLDCL/IdAl6FjRbSPJ6o2Rr113ZocUbsLiso=;
        b=hGCXktfCXjwNyiiVQxfCWweXnB6+fn43AuEGi/7PyJ+aZ63SiNJnBxP6/AhrnzCIb8
         hfmR+0+3OZuQIPVg5OrYnZhRWhc9DEaj83a0uJZLHNMoFIzAm93GF9SU9683YCR9r8s4
         wel7LbgDck6p09y4Pc2j2vJShEbSaY7Oz5U1pt4+6vdKfEEoehFICb/UA2FPp2OCUAK+
         pGjfrJWWKhq9Ck6BjO70MgmhZrW0JFdvew3s8w/ElYFRxqjj7Nm7YXkdni8OleKlbKgE
         9cXSa+u3CZRZsM4OhWy9bkgrP/CxO9E7p4wpW2zjT71EIrROYruNsj2fBDc9+0Xt+vrC
         ulNw==
X-Gm-Message-State: AOJu0YycqTovakL+MXbR/Zz7W7fRyU7ssUlUGGBW5J4JKx903sESrF3d
	JzL9oy/wjaxgMlH+5ERKPSJMq8PAkqJXHSD1INJ7iLrTKGbMvGgh7/m6LyArtIw4/WoJHKGyNec
	sL5s=
X-Google-Smtp-Source: AGHT+IGyXrzAr66IBQZ893urxJTUL7lADw3z5W9tmRxKOu8nXBTY7MRBOgAq47Kq1H5P9xtpm+ErGg==
X-Received: by 2002:a05:6902:709:b0:e08:6ce9:6e8e with SMTP id 3f1490d57ef6-e0b2301eeeemr5466211276.23.1721946138453;
        Thu, 25 Jul 2024 15:22:18 -0700 (PDT)
Received: from [192.168.1.227] (c-98-252-216-111.hsd1.ga.comcast.net. [98.252.216.111])
        by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0b29f508e3sm484990276.20.2024.07.25.15.22.17
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 25 Jul 2024 15:22:18 -0700 (PDT)
Date: Thu, 25 Jul 2024 18:22:17 -0400
To: =?utf-8?Q?Rowan_Tommins_=5BIMSoP=5D?= <imsop.php@rwec.co.uk>
Cc: Internals <internals@lists.php.net>
Message-ID: <47EDE48C-5462-4043-9F3C-CCCD22FE4718@edison.tech>
In-Reply-To: <aa6bc7aa-28d9-40ca-974f-65075adb6199@rwec.co.uk>
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net>
 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <c03eb187-bd21-4a4b-9faf-8d0243eaa994@varteg.nz>
 <aa6bc7aa-28d9-40ca-974f-65075adb6199@rwec.co.uk>
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="66a2d019_6b8b4567_60ee"
From: mike@newclarity.net (Mike Schinkel)

--66a2d019_6b8b4567_60ee
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

     
 

 
 
 
>  
> On Jul 25, 2024 at 5:35 PM,  <Rowan Tommins [IMSoP] (mailto:imsop.php@rwec.co.uk)>  wrote:
>    Rather than force people to use functions that we acknowledge are hard  
>  
>  
>  to use, surely the logical thing is to make the "right" code *easy* to use? Which means if we want people to use SHA-256, let's add a sha256() function to make it easy. This is what password_hash() and password_verify() did right: the functionality was already there in crypt(), but it's hard to use, and harder to use correctly. Providing clearer functions, even though they do the same thing, helps new developers "fall into the pit of success". 
>
>  
 
 
 
 
 

 Yes!    1000% *THIS*.    

 
-Mike
 

 
>  
>  
>  The hash() function isn't quite as confusing as crypt(), but according to the manual, it currently supports 60 different algorithms, most of which I have never heard of. I'm aware that "sha256" is better than "sha1", but should I be aiming higher, and using "sha384", or maybe one of the four flavours of "sha3"? Then there's the fun-sounding "whirlpool", the faintly rude-sounding "snefru", and a bewildering fifteen flavours of "haval". A new user being told "don't use sha1(), use hash() and pick from this list" is more likely to say "ah, there's sha1, jolly good" than spend an afternoon reading cryptography journals. There's no pit of success to fall into. Regards, -- Rowan Tommins [IMSoP] 
>
>  
 
     
--66a2d019_6b8b4567_60ee
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html><body><div id=3D=22edo-message=22><div></div></div><div id=3D=22edo=
-original=22><blockquote type=3D=22cite=22 style=3D=22margin:1ex 0 0 0; h=
eight: min-content; border-left:1px =23ccc solid;padding-left:0.5ex;=22><=
div>On Jul 25, 2024 at 5:35 PM, &lt;<a href=3D=22mailto:imsop.php=40rwec.=
co.uk=22>Rowan Tommins =5BIMSoP=5D</a>&gt; wrote:<br><span style=3D=22-we=
bkit-tap-highlight-color: transparent; text-align: inherit; background-co=
lor: inherit;=22>Rather than force people to use functions that we acknow=
ledge are hard&nbsp;</span><br></div><div><pre class=3D=22edo-pre=22>to u=
se, surely the logical thing is to make the =22right=22 code *easy* to us=
e=3F

Which means if we want people to use SHA-256, let's add a sha256() =20
function to make it easy.

This is what password=5Fhash() and password=5Fverify() did right: the =20
functionality was already there in crypt(), but it's hard to use, and =20
harder to use correctly. Providing clearer functions, even though they =20
do the same thing, helps new developers =22fall into the pit of success=22=
.</pre></div></blockquote><div id=3D=22edo-meta=22><div id=3D=22edo-signa=
ture=22 style=3D=22font-family: sans-serif, &quot;Helvetica Neue&quot;, H=
elvetica, Arial;=22></div></div><div id=3D=22edo-original=22><br>Yes=21 &=
nbsp;1000% *THIS*.&nbsp;</div><div id=3D=22edo-original=22><br></div><div=
 id=3D=22edo-original=22>-Mike</div><div id=3D=22edo-original=22><br></di=
v><blockquote type=3D=22cite=22 style=3D=22margin:1ex 0 0 0; height: min-=
content; border-left:1px =23ccc solid;padding-left:0.5ex;=22><div><pre cl=
ass=3D=22edo-pre=22>The hash() function isn't quite as confusing as crypt=
(), but according =20
to the manual, it currently supports 60 different algorithms, most of =20
which I have never heard of. I'm aware that =22sha256=22 is better than =20
=22sha1=22, but should I be aiming higher, and using =22sha384=22, or may=
be one =20
of the four flavours of =22sha3=22=3F Then there's the fun-sounding =20
=22whirlpool=22, the faintly rude-sounding =22snefru=22, and a bewilderin=
g =20
fifteen flavours of =22haval=22.

A new user being told =22don't use sha1(), use hash() and pick from this =
=20
list=22 is more likely to say =22ah, there's&nbsp;sha1, jolly good=22 tha=
n spend an =20
afternoon reading cryptography journals. There's no pit of success to =20
fall into.


Regards,

-- =20
Rowan Tommins
=5BIMSoP=5D
</pre></div></blockquote></div></body></html>
--66a2d019_6b8b4567_60ee--