Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124678
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 214691A00B7
	for <internals@lists.php.net>; Mon, 29 Jul 2024 20:00:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1722283355; bh=iLyId/Wtaiy4jzL3S7y8BkuUgcCDxikOHXJbA6poBZw=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=XjaSTrGXp2yTHCxRssPzLq2LHnne9E2imbv/im/CKMyjIRGSax0LUFAXXbHrsrHRk
	 BMayX93MjKfJLiPJY4FhGlJcZbwQGe0MB3g4Rrup1H5oJj7Yn6anQDr0Q64tsCvqCu
	 /ou96AOxZA2zrkAbeUg11w7w9SFuBBfgP6wjkyut6Y2VQi4q6Gys/bcSHkf3UiJHs4
	 Y9aebPvOt16hMG2AygqNsTya7EiV0211f61YrsA/w+56oQtjlpGy2tnO8roEI9VBhv
	 1x0XKxgI7sqhUrKF05tb9BkmJJK/QQYboY/TL+0IzjQbT/KF5HQlt+eX/dMCiUhVzx
	 nzuL1ESr7BRxA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B416E180054
	for <internals@lists.php.net>; Mon, 29 Jul 2024 20:02:32 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DMARC_MISSING,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <weedpacket@varteg.nz>
Received: from alcott.smtp.mailx.hosts.net.nz (alcott.smtp.mailx.hosts.net.nz [43.245.52.158])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 29 Jul 2024 20:02:31 +0000 (UTC)
Received: from 125-237-145-229-fibre.sparkbb.co.nz ([125.237.145.229] helo=[192.168.1.68])
	by alcott.smtp.mailx.hosts.net.nz with esmtpsa authed as varteg.nz  (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128)
	(Exim 4.96)
	(envelope-from <weedpacket@varteg.nz>)
	id 1sYWY3-004JGz-1N
	for internals@lists.php.net;
	Tue, 30 Jul 2024 08:00:47 +1200
Message-ID: <5a032505-e654-414d-ac00-5c9f2a17495f@varteg.nz>
Date: Tue, 30 Jul 2024 08:00:37 +1200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
To: internals@lists.php.net
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net>
 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <c03eb187-bd21-4a4b-9faf-8d0243eaa994@varteg.nz>
 <aa6bc7aa-28d9-40ca-974f-65075adb6199@rwec.co.uk>
 <3563cf9b-8eab-4c82-b525-a5d2f9a767bb@varteg.nz>
 <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk>
 <951AA94A-8C07-446E-925C-15BB97F146A4@newclarity.net>
 <c51d4933-15e2-4525-853f-fc41d7865139@varteg.nz>
 <CD092393-CDC4-4536-85F1-9324C664C316@rwec.co.uk>
Content-Language: en-GB
In-Reply-To: <CD092393-CDC4-4536-85F1-9324C664C316@rwec.co.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Hosts-DKIM-Check: none
From: weedpacket@varteg.nz (Morgan)

On 2024-07-29 18:47, Rowan Tommins [IMSoP] wrote:
> 
> 
> On 29 July 2024 02:19:23 BST, Morgan <weedpacket@varteg.nz> wrote:
>> At that point you've got \PHP\sha3() instead of hash("sha3-?"), and now you've (a) lost the word "hash" indicator of what's going on, and (b) hidden the choice of "?" from the user. I'm not really seeing an improvement.
> 
> Once again, you're assuming users have any idea a) what the numbers in the SHA3 variants mean, and b) how to choose between them.
> 
> I've seen plenty of uses of SHA-256 in the wild, and none of the other SHA2 variants. I don't know why, I presume people with far more knowledge than me have decided that is a good choice of variant. So when I'm looking for "something better than sha1()", I look for sha256(), remember it doesn't exist, and write hash('sha256', ...)
> 
> If I'm doing it wrong, and should be making some calculation to choose SHA-382 or SHA-512, please let me know. But don't assume that just forcing me to put the algorithm name in qoute marks is going to make me know, or care, what the name actually means.
> 
> Regards,
> Rowan Tommins
> [IMSoP]


It sounds like the argument for retaining md5() and sha1(), and adding 
to them isn't that they're easier to use in themselves, but that hash() 
offers too many alternatives. If PHP were to offer _one_ specific hash 
function (that's "one on top of those that it already offers") that can 
be used without thinking, and leave hash() to those who may have to deal 
with those alternatives - presumably they already know what they're 
doing or they wouldn't be dealing with them.

That still doesn't protect md5() and sha1() from deprecation; if there 
is a PHP-mandated default hash algorithm that gets its own name, then 
users should be encouraged to use that one, which means not leaving the 
others lying around to for it to hide among. Anyone who needs to 
continue to support the old algorithms can ... use hash().

When it comes to advice about which to use, that seems less the purview 
of a PHP reference manual for the function, and more something like
https://csrc.nist.gov/projects/hash-functions