Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124605
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
by qa.php.net (Postfix) with ESMTPS id 8B8A61A0108
for <internals@lists.php.net>; Fri, 26 Jul 2024 11:11:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
t=1721992406; bh=skq64YZ3CZGwoAnrCESO882fAJKIOTw43j8MqLMo/dU=;
h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
b=dHsVPNYPrD4q2lP2V3JPg/q6vf4VGcadaqsH4Wz3gHvs7XuxN+wmzav1uVUryVrLH
9EVI9neELqk/aMSePwlK7kw8nHEZZD8T/VvOekUAERTlSRu3u4ONzAGC/jeK0kwc9M
HJ/enAUSfMx8lSYxP4EuXajCApQTQiHLehvd5qUH2rFv5N8bC5iL9EYqYIpIvAxa+j
9JJNwruW/vntIOjO48ThEYO6Yt6mSBqP0tf2wR+LWPPHMttgYXiRUzc0PeTINS6UcX
CimBJEo/wnN14AAZbSB/pRY8C5ITT8ykRjBrvMKMT+tE+TWXPv2Mmv+NVn/ppaz9n8
Q3UGlDF+H+6Kg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
by php-smtp4.php.net (Postfix) with ESMTP id DC85A18007A;
Fri, 26 Jul 2024 11:13:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level:
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,
RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <cmbecker69@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by php-smtp4.php.net (Postfix) with ESMTPS;
Fri, 26 Jul 2024 11:13:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de;
s=s31663417; t=1721992300; x=1722597100; i=cmbecker69@gmx.de;
bh=UUvHifCvWB7wLcb0SqLQ3PYt+FDPr3LHNIqWOvra2Tk=;
h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:Cc:
References:From:In-Reply-To:Content-Type:
Content-Transfer-Encoding:cc:content-transfer-encoding:
content-type:date:from:message-id:mime-version:reply-to:subject:
to;
b=o6RDZJpqCOFysJGSz1jdcfZloO958FYZ57WI1NVNc1LG0f+k4zGYrLRR1w8Wytve
H83VAEpWWQOHQrdY+04mUnXCaanOe3aFPcTZPt5JGVL2QWJu+tjg3gAO2aIYz4EjQ
ixoiXbsoEInoXJvkP2qhRkkXFhO8L0P1f+2fVRn9lWA1MaQcAPL5f4uzw3j1sKeyY
16ejsCd/OhnKvoUOc+NFx/Uv6R9tFMOP1FXIcNV0n7bJelE4VxaGeVWZQxeWbO68c
7ytM329vj89BShKh4lo4q3RN5Uszwt8qzu5cu1ygUhPgdgOm8pNB5u+Xklf6SFY1U
083cVvAhvOJVq8s79w==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.2.130] ([79.251.205.37]) by mail.gmx.net (mrgmx004
[212.227.17.190]) with ESMTPSA (Nemesis) id 1M6DWs-1sdvdL48XQ-00ExIA; Fri, 26
Jul 2024 13:11:40 +0200
Message-ID: <89096756-9f50-4b10-9630-d3b18e4b9c29@gmx.de>
Date: Fri, 26 Jul 2024 13:11:39 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
Content-Language: de-DE
To: "Gina P. Banyard" <internals@gpb.moe>, Peter Stalman <sarkedev@gmail.com>
Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>,
Derick Rethans <derick@php.net>, PHP internals <internals@lists.php.net>
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
<1a88918e-e808-d778-45e1-53797660e093@php.net>
<CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
<95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be>
<CAPrKfG4TijmZ_N9512_Fk9MBUNg=E6PjNTy-bCbV8CAj9_wX8A@mail.gmail.com>
<CAPrKfG7Hi0SGbLA31V-9KjHM50QaX+Q=PptuO4+VMOrz7d9eBA@mail.gmail.com>
<G9IiDe18a2ZhrXPA-zljNZsawKCZxlTn2ACfJpM32scdRkRflZ2rM6Ra8z88ZYDczomex4pffxZMpVhEjdB74YQXXNyqJkd7rQdDGA14HC0=@gpb.moe>
In-Reply-To: <G9IiDe18a2ZhrXPA-zljNZsawKCZxlTn2ACfJpM32scdRkRflZ2rM6Ra8z88ZYDczomex4pffxZMpVhEjdB74YQXXNyqJkd7rQdDGA14HC0=@gpb.moe>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K1:ODmCyD/iinqPrr8jgrKZhFa9zMrIhL7DsZygCEDZSgwAHvstv5r
CU86jMEubJQ/SVkVDmRJqMOH3SSJLcAzmfmS8xHrvW2WbkyjSaKLDVmWE4teW8vERuvxNej
Ob1178ojSABC9eI/2i3Cicx5NdzX/2jVODdmVkJSe1r2ZvT4E2u1fRSAR5MP2OF3I1P12mt
g38mWRPYmMVrWI9ZhbTrQ==
UI-OutboundReport: notjunk:1;M01:P0:6Ucx5SngoEo=;WvBMxazf5bSdpdCidTwKgoj8tz1
JSVdUcLMTAEfe/lLRLA0h0g5fs0lLsvggHVzEuQ0OEtOhrMDoCc0c9lQKAYCFTDUPFDlP0ZJP
dZ/kBxELpbOgPqEUPLr1LivuGAaUbNK08xZDngrqefdeg7eSE8AmU+nRqPW6lRFbp4mmwr02A
RUk3G16WfeQTAqVJGpKoomWC3zVHAO+8yn8GSXzo5AJ/jgQO5rb0U5GU18QaDRQ96VJJYz3kM
1QVjxyH/LFRRQPDDYp4H7drs8YFa7B8nKWDpUtNxd/kN3AuZwXSGz8Q0rcPEdqg0KGSHaObeF
gyFACTZflnaJ23NYGc4g37Q3PM2GaYSCCf5YPpbTpRCKXOzHiQkxMQOj4pU1xm4aUeXmch4mi
+rAkBgIaSEh5bO/7LJEhYQSyQswQO+UaD+2hT2j1G4nwMyUoME4DmJKq4q9f9yUWrJ9u+1coF
cV3wJeoxC++9Qhnoi2cVbpfAVFxYXVZkF4RNLE0B7DGD80/WB8EYiygWN51GdGQyz20V1fxof
kjeWYuYWEIfyrPZoS+Su0ulw599Wkukqq+RnfKXJ7+U2BHb3yWHG2QW+cWSh+kIShsA5riDjF
M4ybr9HFWnhsXGkZcQ+brf4xCaMN0IRoBwEREAOTv4X9c7vT9pRMcKcQzT8YbLeOihZyh4oCS
XpjhCYGnJ55swNyLUlI6B55VIl4YoZDa2vLtxYqtdw9A4esjl2oTwRWiG24qYVMWVI+Dqv5wV
ea83ZAWhezO9i0+fnoc4irfQgK+ehNUQRxwV0Vsls9PvrjRvxBqClOMmLtJVDJcah1YOtf1ME
gYA0go8IEe1KWD+34qsRuxGJeEEkxABfItoC/wCndfw9I=
From: cmbecker69@gmx.de ("Christoph M. Becker")
On 26.07.2024 at 12:03, Gina P. Banyard wrote:
> Stephen Rees-Carter, a security expert that has performed countless security audits on Wordpress and Laravel websites, would like to disagree with the fact that it is not enough of a good reason. [1]
> A warning on a documentation page is useless, as nobody is forced to read it.
Right, but even a deprecation notice is likely to be ignored by those
(either use the shut-up operator, or use hash("md5), or maybe a polyfill
to support old PHP versions), so the deprecation wouldn't help in such
cases.
(I've recently seen a new release of a software which still uses
<https://www.openwall.com/phpass/>. Apparently, the notice to prefer
the password_*() API has been ignored or overlooked.)
On the other hand, I'm quite confident that a deprecation could be
useful for some developers, who would at least reconsider the use of
md5/sha1 hashes, but just have overlooked this; although some static
analysis should report respective issues. However, there is certainly
code without any static analysis, where at least this discussion appears
to be helpful, e.g. our php-sdk-binary-tools might reconsider their use
of md5() and md5(uniqid())[2].
Note that I'm not against these deprecations, but I'm also not strongly
in favor. I see valid arguments from both proponents and opponents.
> [1] https://x.com/valorin/status/1816593881791860963
[2] <https://github.com/php/php-sdk-binary-tools/issues/21>
Cheers,
Christoph