Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124664 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id A086F1A00B7 for ; Sun, 28 Jul 2024 12:24:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722169585; bh=b5sPjSlUcsaDFq2DQiePYWu/wXV4JJxkpBy2GhUJPhM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=KmOHz9nRuwU0xYJcE0RcPCh3bSAOxV+3G7mhqlnI3fwh9NISkbXEc0IvLG8SwnYa7 o3myGX2D1AOHeYnATZ/z8UfKugR5GTYaxM8btV58y0FKLqx1hgkt32/DTnGbCcXRte 0t6+YJiJMrUxezV5aASIM73YuWVD4Xh5MHuCWUZ99eG5SjIP8wCBQlt3KcDxygaFH2 MbCu+ldBwaaYUUFn6CyKarkcl8nV/2AoLp51G3WjlXGjtaCZ9jOOWcPxJFtBxvgAhZ h8zy2b/ftvBbhWcng4sC5PO+AFkPITBex+6tpr7hpuCTR4snfx95F6/YHzdIHhanm9 4ojCNI2XiCP5A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 066D0180055 for ; Sun, 28 Jul 2024 12:26:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 28 Jul 2024 12:26:24 +0000 (UTC) Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-2f03df8c8cdso25485511fa.1 for ; Sun, 28 Jul 2024 05:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722169486; x=1722774286; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=b5sPjSlUcsaDFq2DQiePYWu/wXV4JJxkpBy2GhUJPhM=; b=mgnFilvB00ilHrymxo6YD9lSzjZTr8xyvj/BqbOuGrdQEKslQjkAsrUTIXNmp4vCxq gjKYzphE8+CRQvhVD4npyktGDVVbi+cJq6nDVdfQMzGJ06cg8Uu7htqK7Cc0KcizXNPa SudeqdCk/zyWra5DvE3eykMLQxKfOFzmLLxBMQqm+eN2oz7KpfGJGtk8IDPFTYTKvI/O hBRlZDgrkB9uSx0CsmBc6qvqLNad9aiOl87D0xieVo0e8llmrQSLnK7vhts/+JTc1T2Z 1T0Qx5emjinwIp5L54HlVHEc26tN3QbwWJIaZHRSqYi2TyK//umoqJQihQ7oK3ihmZAU nDmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722169486; x=1722774286; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=b5sPjSlUcsaDFq2DQiePYWu/wXV4JJxkpBy2GhUJPhM=; b=LgH5sBIXoPDTv0WZ9fMBgPOsQ6VtY7k090Lrpd6+1EX5y6KMLKqMVYviV7nP5cn963 EfOpMub8q2a90zf6mLia7hi03g3gBcUDE38tHxJXLTU2lxocO1KhzSui8rU520e0BcTo n3f8M6l++ukSsAGfVYIKrXzlGBxKtAVR/NQ1eJ1oMbaDhQSHxdwMqawcWJrxc8It0ERB 5RgNzlT7dmOULgSZIwJUzomaJ4hovxYZTd/aoSz7RBVuPBubQfqKWqgbN22zaAKeNepB V3kp8/WC2C70CMADhaeLqi1GTsV3b3sn33ol3GMak9l12to/HRwEm4ofMFNF+hf7Ac04 iOfQ== X-Gm-Message-State: AOJu0YySrOruNYUQb+FpxCy1pMUmwmEIbXjgzFSyVXnkduPCpiimw3CO SM8zW5nrbUkr2WnEq7Ijfry6EsJIAiflZEYCrmEV/A3XJPSTEFNp4ntfaf4/B39slzKdZS/Mos3 KOSvH4OCNeitdBkg7qh5WyRQ2GMR7eMn3 X-Google-Smtp-Source: AGHT+IEgsFK+MBZb4rXIFEK81Xm/1D9Y71CIM0iX6tcJ4yMFG2wzqF2D/W6HrnXwC+t487Wm0mSQV38KF/Vhfbpa4n8= X-Received: by 2002:a2e:9b4b:0:b0:2ef:290e:4a30 with SMTP id 38308e7fff4ca-2f12f10c69bmr11700051fa.16.1722169486025; Sun, 28 Jul 2024 05:24:46 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <3563cf9b-8eab-4c82-b525-a5d2f9a767bb@varteg.nz> <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk> <0824789d-0e36-4628-85c1-4b8d9b7f86af@varteg.nz> In-Reply-To: Date: Sun, 28 Jul 2024 14:24:34 +0200 Message-ID: Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: "Rowan Tommins [IMSoP]" Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000752b94061e4dd40e" From: tekiela246@gmail.com (Kamil Tekiela) --000000000000752b94061e4dd40e Content-Type: text/plain; charset="UTF-8" On Sun, Jul 28, 2024, 08:42 Rowan Tommins [IMSoP] wrote: > > > On 27 July 2024 23:14:32 BST, Morgan wrote: > > >Why a SHA2 algorithm? Why not a SHA3 one? How about standalone functions > for both, and then when SHA4 comes along (as it inevitably will) another > standalone function for one of its variants? > > You tell me. As I have repeatedly said, I don't actually know anything > about these algorithms. SHA-256 is the only one on the list which I've > heard of, and I'm aware it's newer than SHA-1. I don't know why SHA-512 > isn't "better", I don't know why nobody talks about SHA-3, and I don't know > if one of the others in the list is absolutely amazing and should be > everyone's default forever. > > As far as I can see, nobody, in this whole discussion, has actually > stepped up and explained what users should be using, once we have taught > them that MD5 and SHA-1 are bad. > > > >Or leave them them the 60-piece set (which includes flat-head and > Phillips screwdrivers, so they're not being taken away), and write some > tips on how to use it correctly. > > So go ahead and write those tips. You don't need an RFC vote to improve > the documentation. > > > Here is my offer to those arguing in favour of this deprecation: If you > show me a draft of a comprehensive improvement to the manual to explain how > users should be choosing a hashing algorithm, I will consider changing my > vote. > > I am also happy to help with proofreading, and working out how to format > it into DocBook that fits nicely in the manual. > > As long as the deprecation rests on "somebody in the next 10 years might > get round to improving the manual", my vote remains a firm No. > > > Regards, > Rowan Tommins > [IMSoP] > I have voted yes only because I thought it's about removing inconsistent function alias. I can't see anything wrong with this hashing algorithms and I don't consider them unsafe. However, as someone pointed out this doesn't seem to be correct as the crc32 function isn't part of the depreciation proposal. I am confused now as to why we are trying to deprecate these functions at all. If it's about people confusing the hashing algorithms with password key stretching algorithms then that's not a valid reason. A red warning in the documentation should aid people in clearing this confusion. > --000000000000752b94061e4dd40e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Sun, Jul 28, 2024, 08:42 Rowan Tommins [IMSoP] <= imsop.php@rwec.co.uk> wrote:=


On 27 July 2024 23:14:32 BST, Morgan <weedpacket@varteg.nz> wro= te:

>Why a SHA2 algorithm? Why not a SHA3 one? How about standalone function= s for both, and then when SHA4 comes along (as it inevitably will) another = standalone function for one of its variants?

You tell me. As I have repeatedly said, I don't actually know anything = about these algorithms. SHA-256 is the only one on the list which I've = heard of, and I'm aware it's newer than SHA-1. I don't know why= SHA-512 isn't "better", I don't know why nobody talks ab= out SHA-3, and I don't know if one of the others in the list is absolut= ely amazing and should be everyone's default forever.

As far as I can see, nobody, in this whole discussion, has actually stepped= up and explained what users should be using, once we have taught them that= MD5 and SHA-1 are bad.


>Or leave them them the 60-piece set (which includes flat-head and Phill= ips screwdrivers, so they're not being taken away), and write some tips= on how to use it correctly.

So go ahead and write those tips. You don't need an RFC vote to improve= the documentation.


Here is my offer to those arguing in favour of this deprecation: If you sho= w me a draft of a comprehensive improvement to the manual to explain how us= ers should be choosing a hashing algorithm, I will consider changing my vot= e.

I am also happy to help with proofreading, and working out how to format it= into DocBook that fits nicely in the manual.

As long as the deprecation rests on "somebody in the next 10 years mig= ht get round to improving the manual", my vote remains a firm No.


Regards,
Rowan Tommins
[IMSoP]

I have voted yes only because I thought it's about removing inco= nsistent function alias. I can't see anything wrong with this hashing a= lgorithms and I don't consider them unsafe. However, as someone pointed= out this doesn't seem to be correct as the crc32 function isn't pa= rt of the depreciation proposal. I am confused now as to why we are trying = to deprecate these functions at all. If it's about people confusing the= hashing algorithms with password key stretching algorithms then that's= not a valid reason. A red warning in the documentation should aid people i= n clearing this confusion.=C2=A0
--000000000000752b94061e4dd40e--