Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124604 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id A0EB41A00B7 for ; Fri, 26 Jul 2024 11:10:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721992345; bh=hIR2v64Bsx41ZUJAQlYkrm7wSUlxia4tYd7HwkDjB9M=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=T8lPq2mMci0RKo2rxY87FQOlpsYV/xPa42xV3MI8Gym32VZDPnytUI+vkVHtwOA0J iYiLqlYqfYF1VxorViVpZAqhYnz5pPsvWs+0YD0QC8o3J70KR+29nmIJl0RrVHNfej iKMUr9KMuTaiigzYH7aXdh53qDtc2EknsbnjHpqqcjuQgvJcHpAkxv5sx1xag4SZyC I+ZtAxy+3UtvZujpQDckEwQuZZJLwjdpb/U+iEcGvykJK83mPbLxHOd9Qv4l/N3O1a Co/KKtu6jsZYc9RTfi0SdOQ2G6zk3gRmLOZeGTjHP2bsBBzrXGMDJbNvi12iAZaNd/ F6AONkT4r+gdA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id AF41F18005B for ; Fri, 26 Jul 2024 11:12:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DMARC_MISSING,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 26 Jul 2024 11:12:24 +0000 (UTC) Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-825eaedff30so167526241.0 for ; Fri, 26 Jul 2024 04:10:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beberlei-de.20230601.gappssmtp.com; s=20230601; t=1721992248; x=1722597048; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jaCATFPFyX3VATyoJ7KET8MVeIwFbP6SppoK9AYGi7Q=; b=LisDWxQCxPj4Y96rj5m13E2NdGlmQUu2vDLKaAB7CEpKV1UwkdaPYVAV6jsg7b2MPs dDDH0kfFMMCx84YONiHYjU0tg94KRj5ZuEfhiFW4vERvlDHcHUIshphhmuqteh9uB2pP cbJvYsIhTp4IkWqiHGgUBRMchC/4mva99gBiBn0SaM0EaRc1yqHQJ1PSjDOXoV1MR1Dq OSMQlB+uJWP2meocCNydxYbdTBGO259XI3uxbajoFAlObc75OAvSPG5uUZA6HfhvYna3 NGfdlZtjzmfLWBgVnrjm282k0fXeUVCwjTmmYKp+XqBM7EY5bIOtR9/W/mgFcGKeyi1s sFYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721992248; x=1722597048; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jaCATFPFyX3VATyoJ7KET8MVeIwFbP6SppoK9AYGi7Q=; b=QR5BGJ1z/7FWvCns/MH8M3kwMeW/pMvu/XFEGDcGn8Sj46XpcrB2olc8DU/HabQeo6 hirqiwfykV6UUkVxvldvVf9GaAI/TN4epk6I6H80zdHPsC10Xb1u4CiAWP6yJFrnC7YS SN6NezKeVH/coDF5Y6//xA0XcUA58mplabW/QrEKxuoNpK95oGuDgFKVth+jM5Tt7kO0 kK7dehXt+nQ27TMBXYhWUhebn3BiRFK1X4rbznMd8xwIvoujDQfgb67/0PuSaA8b/6+R JXwf4vpp8YfwrI1+i3pLxPPG2BfO+Uj+zvJsKfQkwMWSqd05S2OPGxhKXOYigeW90d6s Q+7g== X-Forwarded-Encrypted: i=1; AJvYcCUW960l0EOFh9CgQi831Vj3UERG5t2sOv20Sfz1+Oztg8LcDthTKF1tc4ZTx8RgFPFVn9VLXdC1cqgWsmwwytwDzV87kl53Kg== X-Gm-Message-State: AOJu0Yxg+3UXKEAM9ccHyva3CnLCwIv4BhkrwwDzhXnCgzAvln4Gr7UN uilkMCqKliaR4Ll39OAkV7E1dlcwP/RkiO+hqE+MkBYN5tBMdtB+Q+orcYhKSeQhLWnUtWbCb+H cLAFUEP5Au2WyjOh4y4PXe60fXTJvM8E7JlywOg== X-Google-Smtp-Source: AGHT+IF8NAMSAJtQMDE4/aKkg9pi2g5qDqSD+p83kF054MwSvjC1MKp7bRFUdbwOugFWtI2c+inRh/WbZ0ZVgXAfVYo= X-Received: by 2002:a05:6102:801a:b0:48f:48c0:4335 with SMTP id ada2fe7eead31-493d642b0a5mr7661325137.18.1721992247878; Fri, 26 Jul 2024 04:10:47 -0700 (PDT) Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Fri, 26 Jul 2024 06:10:46 -0500 Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Fri, 26 Jul 2024 06:10:44 -0500 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 (Mimestream 1.3.6) References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be> In-Reply-To: Date: Fri, 26 Jul 2024 06:10:46 -0500 Message-ID: Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: "Gina P. Banyard" Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , Derick Rethans , PHP internals , Peter Stalman Content-Type: multipart/alternative; boundary="0000000000003dbd58061e249072" From: kontakt@beberlei.de (=?UTF-8?Q?Benjamin_Au=C3=9Fenhofer?=) --0000000000003dbd58061e249072 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Am 26.07.2024, 12:03:53 schrieb Gina P. Banyard : > On Friday, 26 July 2024 at 08:09, Peter Stalman > wrote: > > On Thu, Jul 25, 2024 at 11:35=E2=80=AFPM Peter Stalman wrote: > >> If their learning insticast >> > > *instincts. > > I should also clarify, I'm not against deprecations in general. However, > the benefits should outweigh the costs. If something is getting > unmaintainable, no longer supported, inherently insecure etc, those are a= ll > good reasons. `password_hash` as mentioned was a great addition, and > should/did solve this very issue. Even someone reading a blog tutorial fr= om > 11 years ago would be able to see this used properly. > > But md5/sha1 are not bad functions, they do *exactly* what they say on th= e > box. Being able to do the exact same thing by spelling the function > slightly differently isn't even deprecating them, just deprecating an > alias. They're only *bad* if used in a *bad way*, and that to me is not > enough of a reason. > > > Stephen Rees-Carter, a security expert that has performed countless > security audits on Wordpress and Laravel websites, would like to disagree > with the fact that it is not enough of a good reason. [1] > A warning on a documentation page is useless, as nobody is forced to read > it. > > Yet again the PHP community doesn't care about security of its users, > current and future, and just prefers the convenience of needing to type > less characters and not go back fix some code for better design. > > I am not sure why I was expecting something else, but I guess I am just > disappointed. > I suppose we are truly becoming Oracle. > > Sincerely, > > Gina P. Banyard > > [1] https://x.com/valorin/status/1816593881791860963 > The only thing that removal of these functions would cause is a.) make people rant about php unnecessarily b.) 99.9% would counter the removal of these functions bys adding this kind of code in their bootstrap, maybe include a polyfill library via composer. if (!function_exists(=E2=80=9Amd5=E2=80=98)) { function md5($data) { return= hash(=E2=80=9Amd5=E2=80=98, $data); }} > > --0000000000003dbd58061e249072 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Am 26.07.2024, 12:03:53 schrieb G= ina P. Banyard <internals@gpb.moe>:
On Friday, 26 July 2024 at 08:09, P= eter Stalman <sarkedev@gmail.com> wrote:
If their learning insti= cast

*instincts.
I should also clarify, I'm not against deprecations in gene= ral. However, the benefits should outweigh the costs. If something is get= ting unmaintainable, no longer supported, inherently insecure etc, those ar= e all good reasons. `password_hash` as mentioned was a great addition, and= should/did solve this very issue. Even someone reading a blog tutorial fr= om 11 years ago would be able to see this used properly.

But md5/sha1 are not bad functions, they do *exactly* what they say = on the box. Being able to do the exact same thing by spelling the function= slightly differently isn't even deprecating them, just deprecating an = alias. They're only *bad* if used in a *bad way*, and that to me is not= enough of a reason.

Stephen Rees-= Carter, a security expert that has performed countless security audi= ts on Wordpress and Laravel websites, would like to disagree with the fact = that it is not enough of a good reason. [1]
A warning on a documentation page is useless, as nobody is forced = to read it.

Yet again the PHP community doesn't care about se= curity of its users, current and future, and just prefers the convenience o= f needing to type less characters and not go back fix some code for better = design.

I am not sure why I was expecting something else, but I g= uess I am just disappointed.
I supp= ose we are truly becoming Oracle.

<= br>
The only thing that removal of these functions would cause is a.) = make people rant about php unnecessarily b.) 99.9% would counter the remova= l of these functions bys adding this kind of code in their bootstrap, maybe= include a polyfill library via composer.

if (!function_e= xists(=E2=80=9Amd5=E2=80=98)) { function md5($data) { return hash(=E2=80=9A= md5=E2=80=98, $data); }}



--0000000000003dbd58061e249072--