Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124702
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 8ED431A00B7
	for <internals@lists.php.net>; Wed, 31 Jul 2024 21:38:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1722462014; bh=rPHxEY/rPaKm4rpelb1t6xHLw8h1KTBWMJzWGC+rYHI=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=C0vVa6vL4a2AqSnLIwoDTzqy1QBoC3Q5nuaveQxBkvjC2HN1feVJrZM1E3cV0JMMM
	 kMdGHjshqqbkorKW7IJihQGKiA2L1ugnIng9qaSNAXfxqd6HyW8g1ueuVMOnLagRdY
	 iCZ88yNPTVKEFWMom3y172490Fyr9cCa2nnysX7N016OYs0ZUcN3EtMzY5D/O5u6sn
	 iNQlhBN6IN14pkWRadK+Waa1vdIeS73YQcbQA1ZgP4vyrinl+W0o5z+YokiIKo/N4X
	 knXp21eQazr2Qoj2VqdbY+r+eLaKS8h8vXJCRB02XcgIWCaML1QSjSRfZYAtH0uQd0
	 2s0pJcZ+YT99A==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id EDA2818002E
	for <internals@lists.php.net>; Wed, 31 Jul 2024 21:40:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <imsop.php@rwec.co.uk>
Received: from fhigh2-smtp.messagingengine.com (fhigh2-smtp.messagingengine.com [103.168.172.153])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 31 Jul 2024 21:40:13 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailfhigh.nyi.internal (Postfix) with ESMTP id B03F81142F85
	for <internals@lists.php.net>; Wed, 31 Jul 2024 17:38:34 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute2.internal (MEProxy); Wed, 31 Jul 2024 17:38:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rwec.co.uk; h=cc
	:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1722461914;
	 x=1722548314; bh=us4SdDy/uCY4O6DqF/daSKtlySgKuuM/d7LTATX1HeQ=; b=
	fm7csGe64jTwEsYiKL1ahqRrBu3ruWCT+6Kwy3ZYJ7EuYH/UZ7amVafXzmhZ6rCZ
	WTy6pIUjUw4tBn7W7FOV5gX6ndhHATJU+LLP5B3xEP2txVgglAFLwTn+a8g/H63O
	O9k8gIxZluXWwnREamPWlaueJwMx/ZATYFWsvuteFAZAKcBWtHrdw+HnX/iKhEyL
	0LEW6O+v44641wFBcLzebl0r/HROvbauIh56c/12VQmtucxtagZW5YhJcTurh8Uv
	0lIIEGlIG1I0GXXdxKIZ0T+71wZNAy6rzbVp7i/JCGUOhYNM47fTNPpRd851nER2
	eShA+ItEQpn0i1MEx6NhZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1722461914; x=
	1722548314; bh=us4SdDy/uCY4O6DqF/daSKtlySgKuuM/d7LTATX1HeQ=; b=s
	z2lf3Hkg3Vx67kxCWuyHnNPk6TFzeLEYQ/B3zYOoiwvf78Jfvy7fcQtNJyYHJDGZ
	v7QfMpc0Mi3hslI9909gyJt4JrKv3226naMEbQHo2gHRTsk3sLXCn8Z3QNMsE1du
	373n6VUdFJGOigBjnPZ+qXmZTuyVRSkreKBZCtv1kpDe2kLPfGF+RTPS20c/g44/
	9PNzSlZtG7XZRSV+XKHIeM23KG/q4sQwYPG383nauGMf8oifupro40RFKVVlCQJ1
	udMOu3aAv5FeQ7ohFInbte1wzEQisnAIYpCENSPYz+uLIkIb8I5/QU+vMCe4v0+V
	DZQ6HlVEBRRDHWOxeGbOg==
X-ME-Sender: <xms:2q6qZv1cFbcUGS2iEAYzq90SfE9JmnKOOnVGrCas5VCuhETsHQrMDw>
    <xme:2q6qZuEB1oz3YP5NJVf-4TdKw3H77OiNHuqYGhCfqiS4oHdnKd5aqylMslfnzt62c
    5gQMfxtGQ0eppPjPQ0>
X-ME-Received: <xmr:2q6qZv5Kmw3ZV2wxNmYLNMRy0s0xo8WtXUmZoixMrjbVfO7elZNxmuOkbUZLz_zm36iYciXgryV9CBBHPSja74-5FOhcy4BDOKfPnq3_NuVHXH4YbwHUOkMy>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrjeeigdduieefucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke
    ertddtvdejnecuhfhrohhmpedftfhofigrnhcuvfhomhhmihhnshculgfkoffuohfrngdf
    uceoihhmshhophdrphhhphesrhifvggtrdgtohdruhhkqeenucggtffrrghtthgvrhhnpe
    ffkeevudffuddvheejvdefkeelfedtudegfeehjeduheegieduffeggeegveefheenucev
    lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehimhhsohhprd
    hphhhpsehrfigvtgdrtghordhukhdpnhgspghrtghpthhtoheptd
X-ME-Proxy: <xmx:2q6qZk2Oivt8AJe1zyXJEK7c_hjJfMEJyvp6N4llAjdDT8wtGsuGSA>
    <xmx:2q6qZiGJF8fKPtaDyTiRBE76l-4jgWBM8n9mCldOtJ5i56nkooftPA>
    <xmx:2q6qZl-li3M3Ab4aaqFa48aJQ-qRZz2rs_CI3oI6QGOlUPkRTHIO9Q>
    <xmx:2q6qZvlUOvEyfNVbKBpgpUQzXC5esPUUB0GE0ST1nHayQuN9vE3zrQ>
    <xmx:2q6qZkM2tvpjnsnFj-qoK8pCl5Lo6IjwvVwL9YnOJBoTR19uLLIdjFME>
Feedback-ID: id5114917:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <internals@lists.php.net>; Wed, 31 Jul 2024 17:38:34 -0400 (EDT)
Message-ID: <9cdc0881-77dd-447d-8bc1-e572a7572db5@rwec.co.uk>
Date: Wed, 31 Jul 2024 22:38:33 +0100
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
To: internals@lists.php.net
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net>
 <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <c03eb187-bd21-4a4b-9faf-8d0243eaa994@varteg.nz>
 <aa6bc7aa-28d9-40ca-974f-65075adb6199@rwec.co.uk>
 <3563cf9b-8eab-4c82-b525-a5d2f9a767bb@varteg.nz>
 <38920A4B-790D-48C7-B2F6-C49D3F506232@rwec.co.uk>
 <0824789d-0e36-4628-85c1-4b8d9b7f86af@varteg.nz>
 <F791876D-1A33-4DB7-938A-DEC048493D87@rwec.co.uk>
 <31ef5c07-b472-431b-9214-f4a9c23080d4@bastelstu.be>
Content-Language: en-GB
In-Reply-To: <31ef5c07-b472-431b-9214-f4a9c23080d4@bastelstu.be>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
From: imsop.php@rwec.co.uk ("Rowan Tommins [IMSoP]")

On 30/07/2024 21:57, Tim Düsterhus wrote:
> Let me attempt to give an explanation. As of today users should use in 
> order of priority:
>
> 1. The hash function they need for interoperability: If a service 
> provides a SHA-1 checksum, then there is no choice and SHA-1 needs to 
> be used.
> 2. The hash function their security team requests them to use.
> 3. A function from the SHA-2 family, with SHA-256 being a good default 
> choice, because that's the secure default choice across the industry. 


Thanks, this is a good concise explanation, and exactly the kind of 
thing I think should be in the documentation *before* we start telling 
people they're "doing it wrong" by using md5() or sha1().

It also strengthens my conviction that we should add sha256() and 
sha256_file() as standalone functions: a "good default choice" is really 
all most users want or need. There seems to be no risk of us needing to 
add a new function every other year, or provide a dozen functions to 
cover different use cases.

Users in scenarios 1 or 2 will know what to look up in the hash_algos() 
list and pass to hash(). Users who have complex use cases like 
incremental hashing, or whatever hash_hkdf() does, can keep using the 
complex but flexible functions that provide those facilities.


Note that if SHA-256 ever stops being the recommendation, having a 
sha256() function will give us the same opportunity we have now with 
md5() and sha1(): to issue a message to users of the standalone 
function, but keep the algorithm fully available in hash().


Regards,

-- 
Rowan Tommins
[IMSoP]