Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124627
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 063361A00B7
	for <internals@lists.php.net>; Fri, 26 Jul 2024 20:13:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1722024906; bh=th2n7pxaOzivmvZKiyy1AK8NmLTg9zO53O5VFXl8+JE=;
	h=Subject:From:To:Date:In-Reply-To:References:From;
	b=Lan2PDRK8b/OEyb0aNWY7RTjB/9JBkAYx6t9Z/HrEtyBlTtwMZa50JGukpXTo3g5c
	 TV6I08vxK3+ckxbWZD6neQ39021sNbm/cQYHZtvj/lDL9fOqqa5yWrzgBPhMU8NgWQ
	 /DVzQUDkLI4g1YRVShGi5NsL9Vberisjr74QxAiHtL8LE2PFILTcYnVkY4zREMgumt
	 eIxLdZCIeQzVYPihnJZPjhids6pEA12dO3pvK/Y8ZtUuYixX0xnI6Xyj9HOsxIvROq
	 Ms4tf0z34vwrDPkS1c2o+OxlG1Ia1uvYvLuYLTyA7ney4MZkxttoJgdZvXtkWbfUqj
	 /wDUhTC/MdF8A==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AC809180068
	for <internals@lists.php.net>; Fri, 26 Jul 2024 20:15:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <lists@ageofdream.com>
Received: from ageofdream.com (ageofdream.com [45.33.21.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 26 Jul 2024 20:15:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com;
	s=ageofdream; t=1722024808;
	bh=th2n7pxaOzivmvZKiyy1AK8NmLTg9zO53O5VFXl8+JE=;
	h=Subject:From:To:Date:In-Reply-To:References:From;
	b=PlhPLIKFE3LefR7cbRR4hVcEqRHQypbykjxDgRx2sEtxnU6Y65b7worrSmPpo0ehQ
	 wnLRToqsNWW+E2uHIWFU8L/OFr8FNAh3GwEYILFHIlkePmyNDavzdrKeA6/ODreySZ
	 Ju6zUNGmnlIMgc1vuhX4tkKM20/Wh1GAVaOMbOLRsAlt/4KYFYhzs1BX/LPDsxk9L9
	 dSdww5iQPg28nEIsm8IqpMaYeMmqPVzViFtLW3VALrf1dnkwEYEmsmwF+S00VmxlAo
	 CQANR8vH1wICNteRg7tA7YoQZW0CzFHNnYO+FSsWambL7OnMQ18+OYto5zhnPt1vjv
	 bSz1YdE3wHopQ==
Received: from [192.168.1.7] (231.subnet-69-85-112.ellijay.com [69.85.112.231])
	by ageofdream.com (Postfix) with ESMTPSA id C487725085
	for <internals@lists.php.net>; Fri, 26 Jul 2024 16:13:28 -0400 (EDT)
Message-ID: <5a508fb6de62932d0f17aa859bde828d9531cfd1.camel@ageofdream.com>
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
To: internals@lists.php.net
Date: Fri, 26 Jul 2024 16:13:28 -0400
In-Reply-To: <cf0f0b2b-5df8-4b7b-bb03-a705f37d5e4a@app.fastmail.com>
References: 
	<USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
	 <1a88918e-e808-d778-45e1-53797660e093@php.net>
	 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
	 <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be>
	 <CAPrKfG4TijmZ_N9512_Fk9MBUNg=E6PjNTy-bCbV8CAj9_wX8A@mail.gmail.com>
	 <6c0baa01-68e5-4d74-bc4e-d6830ab5076d@bastelstu.be>
	 <cf0f0b2b-5df8-4b7b-bb03-a705f37d5e4a@app.fastmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
From: lists@ageofdream.com (Nick Lockheart)

>=20

> In regards to hashing, this is likely fine; for now. There still
> isn't an arbitrary pre-image attack on md5 (that I'm aware of). Can
> you create a random file with a matching hash? Yes, in a few seconds,
> on modern hardware. But you cannot yet make it have arbitrary
> contents in our lifetime. The NSA probably has something like this
> though, but if so, this isn't widely known.

The NSA likely owns "Let's Encrypt" and can therefore MitM every TLS
site on the internet.


> If the problem is that the web is full of bad documentation, find or
> write some GOOD documentation. Then, work out how best to signpost
> users to that documentation. Deprecating md5() and sha1() does
> neither.

This. I'm not going to quote everything, but I read through the
comments from today and would say this:

1) This seems very much like the people in support of these
deprecations are trying to push PHP to enforce *policy* on developers,
rather than simply providing tools.

2) PHP should provide good documentation, but should not try to force
every user to do something "best practice" by renaming functions.

3) If a websever/host updates the PHP version and the code breaks, the
last thing a dev is looking for is "what's the best practice to
refactor this code".

The dev is thinking, "our site is down, the boss/client is angry,
what's the fastest band-aid I can slap on this to get the site up
again".

Thus:

Provide tools, not policy.

Provide good documentation.

--
Nick