Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124661
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 047CB1A00B7
	for <internals@lists.php.net>; Sun, 28 Jul 2024 04:33:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1722141299; bh=LkjXSlOSXxdQ1VsUvWBIISJgJ96yRU+n5Y6HlzZ2P+g=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To:From;
	b=UuZe32NvBnYbm6lfqtuJnN87tMfqNZFZwZlean7JOAYCPFiUTxqjPqOurl2n1Xvy4
	 R7kKPYKgzX8GzUMyFr3sjyXzvClk7xrxw0UosuWnD2b9GSJi70rTld0+55F6QxvVvw
	 kTTytvl0qcXl2zWEZ7bX4TEhaThg+KyTzer4fMkdX72zsbguc60XTrY9FJ3QpJZ5yn
	 MmKuOUPnNet+4uyFNEjjB+SJA1WQ8BkXXcn3GuklDRU4ezLilQUI8rry7VJsgpNjT0
	 Aytj1vStfpbThtfpvinMO8HIiv7DF11ApI5bAnkRxXCH52Zy+GYMjqUaWY6IS/mZpC
	 o5xt3ea7Na+dw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3ADF9180072
	for <internals@lists.php.net>; Sun, 28 Jul 2024 04:34:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DMARC_MISSING,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <mike@newclarity.net>
Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 28 Jul 2024 04:34:58 +0000 (UTC)
Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-6678a45eaa3so9265187b3.2
        for <internals@lists.php.net>; Sat, 27 Jul 2024 21:33:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=newclarity-net.20230601.gappssmtp.com; s=20230601; t=1722141202; x=1722746002; darn=lists.php.net;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/fJqAaEcOJlewdJm+UV3gBfSlEudTBvuAOjZekjBwq8=;
        b=HqypWrCwAazNPhp0bLD/Y8YlCgEWLR5O6iwP1N0PRULwVU44EZ2duxVKcZNTD9PkCO
         gZ0gNICb8B94iXstJ1AUqMdMwoaYE7VjS4Yd930qH6vuTJsc4PUKRYOpJeqM/A9slRRe
         TDUzZ4nkVUfyqy1QmOBs4Hu3JCtLiMkcm8sWKVeiA8OQoOdvDq9Lw44RTU5Jlz294wFw
         hW3PDqfhzZt8eZO7k14g04sSnKHVARV2EuQhXyuE/jz/2Hi18RkHC6Nn0Uw2HIns6d7f
         6MdOi0Z0WiTAv8XRTezifgRnz860jh3xC81xo+g8QlF0Um9PjK1Hdd+YGvpxOPUq/02H
         5FhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1722141202; x=1722746002;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/fJqAaEcOJlewdJm+UV3gBfSlEudTBvuAOjZekjBwq8=;
        b=JemxK+WGp9AfcnLxG/ijLYLCZfwF4mRvnp3WIs6WAfB/rqL2Wt1+DailrXK5+1gOjL
         esPMOwuDOzVqIDrZvtKpetubxK/8YmZDhfdPjjx/idgedFOHL23fPyffBQB0S4k14uDb
         vFpjjTzpa6/AXDVMFPCha0PW95VftrYL+1T4MPIEGSORR26AC0Ro0E0jvof/u3iGttoc
         4CcU32h6yCYjGehch/g26bbOBoVvSRaqLRN4ySo2pNifTVyu6XIJQT0L6NmLNdxYGLK0
         8k3TqJiUs241KXYni3+IQxj/tl8AFKxRMgd3VGH6a0ogAlfTS6OYlEEb+CrYpEwsTE90
         Ptew==
X-Forwarded-Encrypted: i=1; AJvYcCUBICkrh4bqtfJHh66vN735OkZIPX6bOz2FZSZy8uD6521gMJd2bmTuQEb7L8a+itLzdcOER8Fi1F2yMQgn8VApgf3dNRW2cw==
X-Gm-Message-State: AOJu0YxEHEkdlphOef65mIMa5vaNrTyJ/Slb0yOMkIzT2qjpWbTCJjEG
	HZRiV8ABuIskU8H32wAeuQzd+L+cqd86DLJustUdQxMlxDymM2bPQBid6SbkkXBJJ33hFPGT5dm
	rKFU=
X-Google-Smtp-Source: AGHT+IGmxqvUE8to18jGCPOlInTpntPibvTFjDFG920RsAJSZVrk/+uScN06+Wu7xsAh/8OyLtPzTw==
X-Received: by 2002:a0d:e746:0:b0:65f:9873:73e9 with SMTP id 00721157ae682-67a09593ba6mr49986687b3.33.1722141201662;
        Sat, 27 Jul 2024 21:33:21 -0700 (PDT)
Received: from smtpclient.apple (c-98-252-216-111.hsd1.ga.comcast.net. [98.252.216.111])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-67568113d04sm14958407b3.62.2024.07.27.21.33.21
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 27 Jul 2024 21:33:21 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
In-Reply-To: <921dcf17-280b-4005-b31f-5811dbe5ce62@gmx.de>
Date: Sun, 28 Jul 2024 00:33:18 -0400
Cc: "Rowan Tommins [IMSoP]" <imsop.php@rwec.co.uk>,
 internals@lists.php.net
Content-Transfer-Encoding: quoted-printable
Message-ID: <884458DE-74CF-4198-90E7-0BBBF828260F@newclarity.net>
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net>
 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be>
 <CAPrKfG4TijmZ_N9512_Fk9MBUNg=E6PjNTy-bCbV8CAj9_wX8A@mail.gmail.com>
 <CAPrKfG7Hi0SGbLA31V-9KjHM50QaX+Q=PptuO4+VMOrz7d9eBA@mail.gmail.com>
 <G9IiDe18a2ZhrXPA-zljNZsawKCZxlTn2ACfJpM32scdRkRflZ2rM6Ra8z88ZYDczomex4pffxZMpVhEjdB74YQXXNyqJkd7rQdDGA14HC0=@gpb.moe>
 <89096756-9f50-4b10-9630-d3b18e4b9c29@gmx.de>
 <d54b99fd-64ea-40f2-9fee-c904f1305893@app.fastmail.com>
 <3beb3488-94fc-484e-ac6c-ce7a7a0facd2@app.fastmail.com>
 <921dcf17-280b-4005-b31f-5811dbe5ce62@gmx.de>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
From: mike@newclarity.net (Mike Schinkel)

> On Jul 27, 2024, at 7:24 AM, Christoph M. Becker <cmbecker69@gmx.de> =
wrote:
>=20
> Hmm, such soft deprecations should be a good thing, but I'm afraid =
they
> are not really reaching much of the user base.  Remember ext/mysql?
> That was soft deprecated for "centuries", but still support channels
> were burning when it actually had been deprecated, and even after it =
had
> been removed.  (interestingly <https://pecl.php.net/package/mysql> =
still
> says the package would have been moved to <http://php.net/mysql>)
>=20
> Maybe, just maybe, it might be a good idea to repurpose E_STRICT for
> such things.  Basically a three step deprecation: first document that =
a
> feature is obsolete, then trigger E_STRICT, and only then =
E_DEPRECATED.
> I haven't really thought this through, though.

Reading this I pondered why long soft deprecations do not really work =
and why there is still a crisis when the hard deprecation happens. Seems =
to me that as long as those who prioritize spend can put off doing =
things with no short term benefit then there is no tangible incentive to =
update. People will (almost?) always prioritize addressing a current =
crisis =E2=80=94 or adding features that benefit them in the near term =
=E2=80=94 than remediating something that is not causing them a current =
problem.

I wondered if it would not be possible to give code owners an incentive =
to remediate without actually forcing them to? The one thing that I came =
up with is reduced performance over time.=20

Somehow I expect to get a firestorm of negativity for even suggesting =
this, but please hear me out.

Imagine we had another round of deprecation voting for md5(), sha1(), =
etc. and instead of it just being soft deprecated until PHP 10 then hard =
deprecated, what if we ADDED a sleep duration in each of those =
functions, and we escalate for each minor release. Start with 100 =
milliseconds delay per function call, and then add another 100 =
milliseconds delay each point release of PHP. =20

This would allow all code to continue functioning but over time any code =
that uses the functions will get slower. The code owners =E2=80=94 not =
the developers =E2=80=94 will then be incented to prioritize a =
remediation sooner than later. And the longer they wait the worse =
performance will get assuming they keep upgrading their version of PHP. =
OTOH their code will continue to work no matter what,. so they can put =
off remediating until it becomes their priority.

This would certainly get lots of libraries to be motivated to remediate =
as their users would get annoyed with the delays, and commonly used =
libraries can affect large numbers of installations. And since =
performance topics drive eyeballs, lots of developer websites would be =
motivated to write articles about how and why people should remediate =
those functions.

Something to consider?

-Mike

P.S. Frankly, I really would not want to see md5() nor sha1() removed =
because there are valid use-cases for them. I would at least like to see =
them kept in some form, maybe in an `\Insecure` namespace, or renamed =
`insecure_md5()` and `insecure_sha1()` or maybe add a third optional =
bool parameter `$insecure_ok` that defaults to `false` =E2=80=94 or =
?enum flag parameter accepting Hashing::INSECURE_OK as its only value =
=E2=80=94 thus allowing developers to explicitly opt-in to insecure use.=