Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124687 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 7B6701A00B7 for ; Tue, 30 Jul 2024 19:00:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722366110; bh=4BC5yt2LiDIeLOGUoit6DJsgkMkDd4iprO7LpzdqX08=; h=Date:Subject:To:References:From:In-Reply-To:From; b=DZETHpm/TFU8ji8fNQFEB8JE26e9EVSusjs3zzu6wzC76wJpb1yfn8bK7rPLD9AWD oYiotQe5sTde2/dmEWKMjBkUm0a3CAxkJ9yyRP6HOPswXAVa2gBvPYlpiQuw94KEXY OICZSZmU1H/eS+LhI1hsaya3A1Hbp2+bgoi49/fLotBAoFLIBKqVDzBIMU8xveX8cx C6AZBJ1H5jd3M1dzAWdhHOgrSjX4KIdjywZqIWt7ZfepvuGxHTRcZtQKyGhLLgb/JV 4uRHFTPAF6ZtJ72n3aBtAJc11yyKTCUHtRIh7oR/+xe3Qbh90+/lMYlXD4jrjhF7uN tKA7ttjYDDjKg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 7F040180055 for ; Tue, 30 Jul 2024 19:01:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 30 Jul 2024 19:01:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1722366008; bh=5Ul49G0Sw3cZ6DIA94iZv2oyC/IqP4C4xd7Jt4NDtrQ=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=maJkKuUQkHx6SYFURdd9treGlsXafLRARPnvViHSV4B7H7am21d2oJPYEQrEpdEFE 8Mz9bvYgXOciaCO+l/NliQ/+4uXUJGFjI2rCLnNv8tPJBIxTIYr3aZ6VuJSnIM80Lw GfcYTwqkZa6mZubJcipE6vpQFhauWnQoCLjFlSjUOOVJoFiHpqrho6XjXdvmUMorPK /CehtfRNeEEH+wb+lQK0jLrdtEh4tt9HyzJj3ldYWes5VRn2tlWRdVi1jF0/2eB/bf x8q2pfVZ1A7pr06MQq+QwV8rFjEtAhNCgfdOVCVmYNihZTi3smZZ6S0+64yn7InwJi /3vFbRbxLegCg== Message-ID: <3625ee68-da2b-4887-b8a2-a20ec65844e3@bastelstu.be> Date: Tue, 30 Jul 2024 21:00:05 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: "Rowan Tommins [IMSoP]" , PHP internals References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be> <6c0baa01-68e5-4d74-bc4e-d6830ab5076d@bastelstu.be> <825ca9ca-68c9-4073-9864-ed10d3dacaa7@app.fastmail.com> Content-Language: en-US In-Reply-To: <825ca9ca-68c9-4073-9864-ed10d3dacaa7@app.fastmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi On 7/26/24 15:13, Rowan Tommins [IMSoP] wrote: > On Fri, 26 Jul 2024, at 12:58, Tim Düsterhus wrote: >> I think you are expecting a little too much from a beginner that is >> following "the modern PHP tutorial" if you expect them to critically >> question whether the tutorial is actually good or not. They are likely >> already struggling with syntax and explaining the difference between >> "if" and "while". You wouldn't believe how often I've heard the term >> "if-Schleife" (if loop) in German. > > I think you are expecting a little too much from a beginner if you think they will see the message "md5() is deprecated", and research up to date advice on hashing algorithms, rather than asking ChatGPT how to make the code work, and replacing it with "hash('md5', ...)". I am not expecting that from a beginner. I am expecting two things: 1. That the beginner switches to a tutorial that does not emit any error messages or warnings, because they realize that the tutorial is not as good as it claims to be. 2. That (1) leads to the outdated tutorials falling out of favor with regards to search engines or alternatively that the outdated tutorials are updated to no longer be outdated. >> CRC32 does not claim to be a cryptographically secure hash algorithm. >> Its use case is completely different. > > As an inexperienced user looking at the PHP manual for hash() and hash_algos(), how would I know that? It's right there in the list, just after something called "adler32". > I expect the inexperienced user to look at existing tutorials or code snippets, rather than the reference documentation: If they are inexperienced, they would not even know what to look for in the documentation. That also ties into (1): I hope that the deprecation results in better tutorials / making bad tutorials less attractive. Of course that doesn't mean we shouldn't improve the documentation, and I'm seeing that Christoph and Jim already started doing so. >> I'm seeing the sarcasm indicator, but I'm compelled to point out that >> SHA-256 and SHA-512 are both SHA-2. If one is broken, it is likely that >> the other is as well. > > Again, you know that, but do the users you're trying to help by deprecating sha1()? I'm a reasonably experienced developer, and I have no idea why SHA-512 would exist if it's not in some way "better" than SHA-256. > See above. Also: Really any choice from the SHA-2 or SHA-3 family is better than both MD5 and SHA-1 and I would expect users to generally gravitate towards things they have heard about before and you really need to try hard not to have heard about SHA-256 before. Wikipedia is also helpful regarding this topic. Best regards Tim Düsterhus