Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124660 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id BC1851A00B7 for ; Sun, 28 Jul 2024 03:54:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722138951; bh=3qcTvnE3skt4h/5WkndNR9EZFQbwS6oCYxZcWSWGz/Y=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=FbrVU9//gmXd+Qf3PJdaUGqIK/Iu0OfdfYe+qjEMCxqvpOVUioI9yqzKa6hn6VwJb PAEAgdP8xcFKB2HK2j49JXTOUwCLK+zk94/OHbLN1nCxAYPoeLNaPFcxG8H9UII4YJ Ocy574THLrHIUVJX4+JqHtVZXjWfkS23h2/eKMA1Y6kxZT8YpnigwW+4SXKTczEfk+ buUHmA4+/qJQsidvdPLhWBGKZpvNftvPKL3eMwS8BbC7KmJAbAwPni3i23GPW3NBuw 2anAlPb/POAC4x2h/lIpvrs4ixnzsUGw0qg69g+4WJ4R02Z9zsomP2036N/Z22miDB sBpyKAFhftrmQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8BE59180057 for ; Sun, 28 Jul 2024 03:55:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DMARC_MISSING,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 28 Jul 2024 03:55:49 +0000 (UTC) Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-661369ff30aso8388757b3.2 for ; Sat, 27 Jul 2024 20:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20230601.gappssmtp.com; s=20230601; t=1722138853; x=1722743653; darn=lists.php.net; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3qcTvnE3skt4h/5WkndNR9EZFQbwS6oCYxZcWSWGz/Y=; b=OAG1zgs+fmiNF8tOkKJGMLP1VgKaC/Av7PeUt1Va+PQ6Ayb0T3AnOEz24Zt+/sVeeQ twMShDVRzGTg7LZu8c0Mdw34xhvt79QTQvsKGLQiKnmpFf0+ZRtcuQAJUE0Lnd2w5yo7 oD8CjCQL2dcyZV8Amu8ANIrNr0b45GbBsulv4TJF9W3Q0AtPRzJ7TDNTwGokR64jPW/v vnncweFJWk0C0M9SO4KWIvtg8xQZBEFry9fHsEdEUKfpUni/eTdt6sddGsh1Yjwtsozn ySqeKPezMRrv6unZ4J8i5DruRcKH1gEL1E3VV8a1mQdj7gHU4B0ICoYOPD6B8PyiSPJb qdFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722138853; x=1722743653; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3qcTvnE3skt4h/5WkndNR9EZFQbwS6oCYxZcWSWGz/Y=; b=vzPHXCdMgoVeE24lVLs37cshNIVnwh/sGEsVRMZS9zpY1E2q+JY1DL85ORVlfLRSb6 oQ3aNmOTTHN3i2kna4DRRgAolNbuoX4paX6coUboRG7GRaYB95dMbYPfnIYP0zIdMn49 ULcdr2oYIAdxl/CRlDzMiM0cePrj8s8jajGQo7GfVrXgjmW4HJgUxSNxTvl+nrl8X7xa cgQnW/f1+HLvxtmcT4ZJBHHy3f+pETXAGBcdpWwRbGFal5bFShQWAdukUm2KT6K4pPRl UJCRHNykA7J87Oulcsn+yKx5Omsns9ItdgE2/yZ3pNqUKl/FmifTAVeL1U9OblveGjUd BRrg== X-Gm-Message-State: AOJu0YySlTYTLM15GG395GZGK3/ey5pUh0RP1hUUBZq+ZRBiCeZueuZe lghI60uroaBzUO/LoZv3t0PuYz5sNts+8oBw1BWtzGEThoScGaEbfgnsGobC1PczF9dVZlMIBJc NJxo= X-Google-Smtp-Source: AGHT+IGVRXksrjG9LJPQ7p7USHnmXgOV7EqxDUS6sLhQ+/aWBr9d9r4FZGEwHNXysiGitrzpQMMfOQ== X-Received: by 2002:a25:eb07:0:b0:e03:a227:6476 with SMTP id 3f1490d57ef6-e0b54480b0amr4282486276.17.1722138852917; Sat, 27 Jul 2024 20:54:12 -0700 (PDT) Received: from smtpclient.apple (c-98-252-216-111.hsd1.ga.comcast.net. [98.252.216.111]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0b2a177e0esm1381081276.32.2024.07.27.20.54.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Jul 2024 20:54:11 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 In-Reply-To: <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk> Date: Sat, 27 Jul 2024 23:54:10 -0400 Cc: PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: <951AA94A-8C07-446E-925C-15BB97F146A4@newclarity.net> References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <3563cf9b-8eab-4c82-b525-a5d2f9a767bb@varteg.nz> <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk> To: "Rowan Tommins [IMSoP]" , Morgan X-Mailer: Apple Mail (2.3696.120.41.1.8) From: mike@newclarity.net (Mike Schinkel) > On Jul 27, 2024, at 8:36 AM, Rowan Tommins [IMSoP] = wrote: > On 27 July 2024 00:58:17 BST, Morgan wrote: >>=20 >> I'm not talking about the MD5 or SHA1 algorithms or whether they = should or shouldn't be used. I'm just talking about the functions = themselves. md5(), md5_file(), sha1(), and sha1_file(). They only exist = because there wasn't the generic hash algorithm extension when they were = created. >=20 > I understand what is being claimed (and you're not the only one = claiming it), I'm just not convinced it's true. I think they have = standalone functions for the same reason we added str_contains and = str_starts_with - because it's convenient to have straightforward = functions for common use cases. >=20 > The hash() function is like a 60-piece set of interchangeable = screwdriver heads, which only professionals and enthusiasts need; md5() = and sha1() are like the flat-head and Phillips screwdrivers that = everyone has in a drawer somewhere. >=20 > The thing that always surprises me is that PHP *doesn't* have a = standalone function for SHA-256, which is the only other I've ever used.=20= >=20 > To continue the analogy, we're missing a Pozidriv screwdriver, so = people are misusing the Phillips one. The RFC is suggesting that we take = away their flat-head and Phillips screwdrivers, and leave them with the = 60-piece set, and no instructions.=20 >=20 > My suggestion is we instead give them a Pozidriv screwdriver, and = write some tips on how to use it correctly.=20 I rise in support of this mindset. =20 Some of us like to draw inspiration from other languages, and in that = vein one of the things that makes Go such a joy to program in is the = fact the Go team continues to add "convenience" functions with every new = 6 month release.=20 Many (all?) of the functions the Go team adds could have been written in = "userland" but they represent such common use-cases that the Go team = decided to make them easy and obvious. They even soft deprecate = functions and structs that are not ideal and replace them with ones with = better names and better signatures. If Go had started with the string = and array functions PHP has today they would almost certainly replaced = them by now, ~15 years into Go's tenure. It is a shame that PHP's culture is so hostile towards adding = functionality that could also be added in userland, especially when that = functionality would simplify and standardize algorithms that are = non-obvious and/or too easy to implement incorrectly. If the PHP culture = embraced moving common use-cases into core it would make PHP much more = pleasurable to program in and make it much less likely that PHP programs = would have bugs and/or security vulnerabilities. > On Jul 27, 2024, at 6:14 PM, Morgan wrote: > Why a SHA2 algorithm? Why not a SHA3 one? How about standalone = functions for both, and then when SHA4 comes along (as it inevitably = will) another standalone function for one of its variants? Yes. Yes, And Yes. And ideally within a `\PHP` namespace. =20 -Mike P.S. But as we know a standardized `\PHP` namespace is apparently never = going to happen although for the life of me I still cannot understand = why not =E2=80=94 and I was here during the voting down of that RFC ~4 = years ago =E2=80=94 given how so many other languages had done the = equivalent.