Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124670 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 87FF11A00BD for ; Mon, 29 Jul 2024 01:19:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722216073; bh=oJzwb/agTvVh8Fxn71Q5HKQK3KsRPlDtbYm/8sWlHqs=; h=Date:Subject:To:References:From:In-Reply-To:From; b=QSPax42yAg6xz8oVhlfuh4Ty3Y7T5u2tmtTpN+VhIW8W+57Y5SHHGlRjdXyr5KytI /H3xvJfbVmbnCrRpAEY6PmA6n9t7DlBvzq1dQnm7K0UhPoYHwCfE4P+pIPcvm2RQe4 y3+KoLnysc6g7QVyiTNkDW3G5sjPOzTeLwMRecB0Ykcq92dd99pRoAUo26x/fL/XiV YbxO1ARVCcXLO8DZmTqyT1XGaUMb1pKDV1QlxnWvCmDq4ce5sTAOxc+cAGcMwQHm45 gzw5+f2O2+SgD8cEadpmjoIg4AyumgUCwKp6TG3xFnQWpdravg9cvTTugKin53aNI9 35O4tDQ5ac6zQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 93998180054 for ; Mon, 29 Jul 2024 01:21:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DMARC_MISSING, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from megan.smtp.mailx.hosts.net.nz (megan.smtp.mailx.hosts.net.nz [43.245.52.196]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 29 Jul 2024 01:21:09 +0000 (UTC) Received: from 125-237-145-229-fibre.sparkbb.co.nz ([125.237.145.229] helo=[192.168.1.68]) by megan.smtp.mailx.hosts.net.nz with esmtpsa authed as varteg.nz (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim 4.96) (envelope-from ) id 1sYF2u-008HgN-15 for internals@lists.php.net; Mon, 29 Jul 2024 13:19:28 +1200 Message-ID: <2b931735-d8ed-4146-8e24-d76c2fa82d06@varteg.nz> Date: Mon, 29 Jul 2024 13:19:20 +1200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: internals@lists.php.net References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <3563cf9b-8eab-4c82-b525-a5d2f9a767bb@varteg.nz> <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk> <0824789d-0e36-4628-85c1-4b8d9b7f86af@varteg.nz> Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Hosts-DKIM-Check: none From: weedpacket@varteg.nz (Morgan) On 2024-07-28 18:42, Rowan Tommins [IMSoP] wrote: > > > On 27 July 2024 23:14:32 BST, Morgan wrote: > >> Why a SHA2 algorithm? Why not a SHA3 one? How about standalone functions for both, and then when SHA4 comes along (as it inevitably will) another standalone function for one of its variants? > > You tell me. As I have repeatedly said, I don't actually know anything about these algorithms. SHA-256 is the only one on the list which I've heard of, and I'm aware it's newer than SHA-1. I don't know why SHA-512 isn't "better", I don't know why nobody talks about SHA-3, and I don't know if one of the others in the list is absolutely amazing and should be everyone's default forever. > > As far as I can see, nobody, in this whole discussion, has actually stepped up and explained what users should be using, once we have taught them that MD5 and SHA-1 are bad. > > >> Or leave them them the 60-piece set (which includes flat-head and Phillips screwdrivers, so they're not being taken away), and write some tips on how to use it correctly. > > So go ahead and write those tips. You don't need an RFC vote to improve the documentation. > > > Here is my offer to those arguing in favour of this deprecation: If you show me a draft of a comprehensive improvement to the manual to explain how users should be choosing a hashing algorithm, I will consider changing my vote. > > I am also happy to help with proofreading, and working out how to format it into DocBook that fits nicely in the manual. > > As long as the deprecation rests on "somebody in the next 10 years might get round to improving the manual", my vote remains a firm No. > > > Regards, > Rowan Tommins > [IMSoP] Hey, all I'm doing is pointing out that the only reason those functions were standalone to start with is because when they were added they were the only ones around; they weren't introduced as "easier to use" alternatives to the more generic case. If hash() had been added in PHP with half a dozen different algorithms right at the beginning, would md5() and sha1() have been given special treatment? Possibly: MD5 (and later SHA1) got all the publicity at the time. Whether they are "bad" or "should not be used" has nothing to do with that. I understand that the RFC is hard on them because they are broken algorithms that don't have any advantages over others that have been added since and therefore the language shouldn't be encouraging their use by providing dedicated functions for them, I'm just pointing out that those dedicated functions are historical artefacts. I haven't seen an explanation of what makes them "easier to use": if you want to use md5() (for whatever reason: I don't care) it's not that hard to write hash("md5") instead. I just went through a file deduplication utility of mine and did exactly that. Yes, I am using MD5 as a message digest algorithm.