Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124655 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 1D8AF1A00B7 for ; Sat, 27 Jul 2024 22:26:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722119269; bh=t8mouNmMVwWCcx4cvfOCGsZ5m3POB8Y/YHiKD0czwa0=; h=In-Reply-To:References:Date:From:To:Subject:From; b=HQeQU/5IOMDH3nYEsbUp9M/mQ/I1oi0pFBtTSe7JvBYNeFsm0Pg/5QrnZ9s1Kmsp0 Bp5Omh4VZ4NxvnbKxr6FMX4CIxueXWNcS92c+zd8QhLR0CRivHN8HqDMnBKwWKVGDe vHepTj1obdAvcZqzKphblBRa4xdmSb3L01K+yekuUiFX2BBNXuKwhZMgEfIeiLKA18 PELWAWJqiIscQ557fzREhEkrLv0Uz5nG/mBWqujlW5MA5VQj4f+lwFJSaCcWolGrVy NyyFfGMeeONNBhQTWiKdiEstnyiUcjkLUhk0TmY8ry12qhvjftejsvKp8PHI8Vzr8Q XiHScMA0OxuVw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id BD2E618003E for ; Sat, 27 Jul 2024 22:27:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fhigh6-smtp.messagingengine.com (fhigh6-smtp.messagingengine.com [103.168.172.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 27 Jul 2024 22:27:48 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 43F40114008E for ; Sat, 27 Jul 2024 18:26:11 -0400 (EDT) Received: from imap49 ([10.202.2.99]) by compute3.internal (MEProxy); Sat, 27 Jul 2024 18:26:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1722119171; x=1722205571; bh=t8mouNmMVw WCcx4cvfOCGsZ5m3POB8Y/YHiKD0czwa0=; b=PVQbQ3QZKwXyhAleQPHiXE0YST pUb3a4dEoHbOiwTa2Dc/3keyQ59d3dRLf5FP9lQtzo4Aq9ZgPwSG1ICzAV8NnEdk RbxobdVk74dveYQVsyjVyAiQpa/7TacFVk+xH0Mav4bU2/YTanUqjSddir/pYPLN Au0KKNvlLRA44haRe49bZfJQIwn+q4aJZJW2OC0TRahNpXS7q2R5k3V/qWwhbDYw yVobiIXxexWjuOXIP2riOUYec4v6xadk/aa+YiTwrsoepitExZKcHxovoxCsgz29 eX6U19FhcQDYSG3nz0AavKrS+Op1ejh+ovtDC6C8R+oTnz6b9ECVdSXJNLgQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1722119171; x=1722205571; bh=t8mouNmMVwWCcx4cvfOCGsZ5m3PO B8Y/YHiKD0czwa0=; b=JZg37fhbuBYZ5sc1vpeUVkIi2op58q5corojnG1KsZK8 K0H3eVP/uDb2yrmemWt8LwojyzHJ1mfAXtGqlld3MJqYdshPH0O15XG1bzppifPG 395Lc1uOSWPdNUBLUxA5kjcmvzU1Fag7XyRlDMoICLyEHjDybZ/TwuvBNW1cAmDd BnNUza28yQ0R6t3r/19eBTKWVObPXIjGL2VybQ+zAxSHyFsvDc/BK7vU7/xktsN6 zk4HWiD6ku9+5msW4ZWqTTwoc5kLTYBTt44UI5J20Fa8wQo2D35l+AfpFAnWRbdA FoZhAFLGgTeP33C/ZVHnNBbIpcOKkenaax51vK1dkw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrieekgddutdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrgdtre erreerjeenucfhrhhomhepfdftohgsucfnrghnuggvrhhsfdcuoehrohgssegsohhtthhl vggurdgtohguvghsqeenucggtffrrghtthgvrhhnpeeffeduhfduudeikeekudfghfdugf eljefgkeeghfdvieekledvvdejheetgeetgeenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpehrohgssegsohhtthhlvggurdgtohguvghspdhnsg gprhgtphhtthhopedt X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0A42A15A0092; Sat, 27 Jul 2024 18:26:11 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-582-g5a02f8850-fm-20240719.002-g5a02f885 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Message-ID: In-Reply-To: <0824789d-0e36-4628-85c1-4b8d9b7f86af@varteg.nz> References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <3563cf9b-8eab-4c82-b525-a5d2f9a767bb@varteg.nz> <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk> <0824789d-0e36-4628-85c1-4b8d9b7f86af@varteg.nz> Date: Sun, 28 Jul 2024 00:25:49 +0200 To: internals@lists.php.net Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 Content-Type: multipart/alternative; boundary=41d4c3efa74a43ddac0a915b3ed20108 From: rob@bottled.codes ("Rob Landers") --41d4c3efa74a43ddac0a915b3ed20108 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable On Sun, Jul 28, 2024, at 00:14, Morgan wrote: > On 2024-07-28 00:36, Rowan Tommins [IMSoP] wrote: > >=20 > >=20 > > On 27 July 2024 00:58:17 BST, Morgan wrote: > >> > >> I'm not talking about the MD5 or SHA1 algorithms or whether they sh= ould or shouldn't be used. I'm just talking about the functions themselv= es. md5(), md5_file(), sha1(), and sha1_file(). They only exist because = there wasn't the generic hash algorithm extension when they were created. > >=20 > > I understand what is being claimed (and you're not the only one clai= ming it), I'm just not convinced it's true. >=20 > I'm just looking at the manual's version information about when the=20 > functions were introduced. Seems pretty unambiguous: md5, sha1, hash:=20 > versions 3, 4, and 5 (via PECL). >=20 > > I think they have standalone functions for the same reason we added=20 > str_contains and str_starts_with - because it's convenient to have=20 > straightforward functions for common use cases. > >=20 > Because there weren't any purpose-built functions that did the job,=20 > forcing users to use other functions in expensive ways for what is=20 > internally a pretty simple task. There is a purpose-built function for=20 > hashing. >=20 > > The hash() function is like a 60-piece set of interchangeable screwd= river heads, which only professionals and enthusiasts need; md5() and sh= a1() are like the flat-head and Phillips screwdrivers that everyone has = in a drawer somewhere. > >=20 > > The thing that always surprises me is that PHP *doesn't* have a stan= dalone function for SHA-256, which is the only other I've ever used. > >=20 >=20 > Why a SHA2 algorithm? Why not a SHA3 one? How about standalone functio= ns=20 > for both, and then when SHA4 comes along (as it inevitably will) anoth= er=20 > standalone function for one of its variants? >=20 >=20 > > To continue the analogy, we're missing a Pozidriv screwdriver, so pe= ople are misusing the Phillips one. The RFC is suggesting that we take a= way their flat-head and Phillips screwdrivers, and leave them with the 6= 0-piece set, and no instructions. > >=20 > > My suggestion is we instead give them a Pozidriv screwdriver, and wr= ite some tips on how to use it correctly. > >=20 > Or leave them them the 60-piece set (which includes flat-head and=20 > Phillips screwdrivers, so they're not being taken away), and write som= e=20 > tips on how to use it correctly. >=20 > > Regards, > > Rowan Tommins > > [IMSoP] >=20 I'd love to see a "hashing" namespace and all of these given their own f= unctions with docblocks and manual pages instead of the current generic = "god of hash" page which doesn't even list the hash functions available;= you have to click on hash_algos and then look at the var_dump of hash a= lgorithms. From there, you can google each one and try to understand wha= t each one is good at and why you would use murmur3a over murmer3f, then= try to figure out which one is the version that is compatible with java= script but not compatible with c# or maybe the other way around... (I re= cently got to go on that ride). If we are going to deprecate the standalone functions (see the sha1 page= , which at least links to a page about the sha1 algorithm, or the md5 rf= c, which links to the md5 rfc) we should seriously invest in documenting= these hashing algorithms and explaining them. In the very least, link t= o their respective RFCs. =E2=80=94 Rob --41d4c3efa74a43ddac0a915b3ed20108 Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: quoted-printable
On Sun, Jul 28,= 2024, at 00:14, Morgan wrote:
On 2024-07-28 00:36, Rowan Tommins [IMSoP] wrote:


> On 27= July 2024 00:58:17 BST, Morgan <weedpacket@varteg.nz> wrote:
>>
=
>> I'm not talking about the MD5 or SHA1 algorithms or whethe= r they should or shouldn't be used. I'm just talking about the functions= themselves. md5(), md5_file(), sha1(), and sha1_file(). They only exist= because there wasn't the generic hash algorithm extension when they wer= e created.

> I understand what= is being claimed (and you're not the only one claiming it), I'm just no= t convinced it's true.

I'm just looking at = the manual's version information about when the 
func= tions were introduced. Seems pretty unambiguous: md5, sha1, hash: <= br>
versions 3, 4, and 5 (via PECL).

<= div>> I think they have standalone functions for the same reason we a= dded 
str_contains and str_starts_with - because it's= convenient to have 
straightforward functions for co= mmon use cases.

Because there wer= en't any purpose-built functions that did the job, 
f= orcing users to use other functions in expensive ways for what is <= br>
internally a pretty simple task. There is a purpose-built = function for 
hashing.

&= gt; The hash() function is like a 60-piece set of interchangeable screwd= river heads, which only professionals and enthusiasts need; md5() and sh= a1() are like the flat-head and Phillips screwdrivers that everyone has = in a drawer somewhere.

> The t= hing that always surprises me is that PHP *doesn't* have a standalone fu= nction for SHA-256, which is the only other I've ever used.


Why a SHA2 algorithm? Why not = a SHA3 one? How about standalone functions 
for both,= and then when SHA4 comes along (as it inevitably will) another 
standalone function for one of its variants?
<= br>

> To continue the analogy, we're missing= a Pozidriv screwdriver, so people are misusing the Phillips one. The RF= C is suggesting that we take away their flat-head and Phillips screwdriv= ers, and leave them with the 60-piece set, and no instructions.

> My suggestion is we instead give the= m a Pozidriv screwdriver, and write some tips on how to use it correctly= .

Or leave them them the 60-piece= set (which includes flat-head and 
Phillips screwdri= vers, so they're not being taken away), and write some 
tips on how to use it correctly.

> Re= gards,
> Rowan Tommins
> [IMSoP]


I'd love to see a "h= ashing" namespace and all of these given their own functions with docblo= cks and manual pages instead of the current generic "god of hash" page w= hich doesn't even list the hash functions available; you have to click o= n hash_algos and then look at the var_dump of hash algorithms. From ther= e, you can google each one and try to understand what each one is good a= t and why you would use murmur3a over murmer3f, then try to figure out w= hich one is the version that is compatible with javascript but not compa= tible with c# or maybe the other way around... (I recently got to go on = that ride).

If we are going to deprecate th= e standalone functions (see the sha1 page, which at least links to a pag= e about the sha1 algorithm, or the md5 rfc, which links to the md5 rfc) = we should seriously invest in documenting these hashing algorithms and e= xplaining them. In the very least, link to their respective RFCs.
<= div>
=E2=80=94 Rob
--41d4c3efa74a43ddac0a915b3ed20108--