Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:128655
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 5B7861A00BC
	for <internals@lists.php.net>; Mon,  8 Sep 2025 14:46:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1757342678; bh=A+bGdBv2acDFw1w4l0kdjRxQJvZXpMtBTWWf2Vb91Gw=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=hhXs5PL+i8kVWuGhYC8ScVl5EnoqaVQs3RaxM0js57vIxTjfwSua1pwpnFBxbfxWk
	 W5jYGC5bO5RxhRBtfFlQPkfR2Fs5wxhLJMuIlcaqCD9rSTaI1+p8f+1kFGdMLM6shE
	 1xBvj87TH5rIwndvyj47d0bjWhVXRmQqih9egucOKeqCBS4ifoBcMAGxe1TC6Re1aA
	 VcTmzy33B4LLqWeypAxGrfGTkxuojM1Tw7KsZECxkEDu+k+OCUs1KDHOjhTCU89DEo
	 2tAMAeoxSYFwYqCUWO106fUTrSQnhyDMc3RbZ3bSXAru/XbSt6I/CC9ggIQH9m/z2c
	 JzHdMrSLpwB/g==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 983F91801D8
	for <internals@lists.php.net>; Mon,  8 Sep 2025 14:44:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  8 Sep 2025 14:44:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1757342760;
	bh=hcO/huC3/RiBjho2mOKNVBi8zBbYosN4m9SM+w2DfkM=;
	h=MIME-Version:Date:From:To:Cc:Subject:In-Reply-To:References:
	 Message-ID:Content-Type:from:to:cc:subject:message-id;
	b=JyZIEcBlaHJ56I2VJJYKW1z2R9YHyhcO3mL08oBhvOXYc5Eq//9JZoGzri0gxf6Z4
	 nmRSns1dqB25wx4bFQTuNxDwHXoXLBiMZW0u/uw1w0rSYqozr/EwIPv4muvB0sy1Pl
	 eKls6xP1PcZ5mtsnLeKFQX5MykPphzgMb0X0RdfPhiqZwSReP0GEcruLvyqpN8znRy
	 4cVFOvVycJ7U9LxmfNjyAk6qDahdNlFFQZ1thdCJrhuIFo3sTcqXPS2o7nbUQADE1a
	 /wASun9If9YQ+uadedAVyneQ1aZyKy8hp78KUhhV0gImvV3jB4986kIBhzNaM1vWz7
	 ibce6t3ttWNGA==
Precedence: list
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Mon, 08 Sep 2025 16:45:59 +0200
To: Nicolas Grekas <nicolas.grekas+php@gmail.com>
Cc: PHP Internals List <internals@lists.php.net>
Subject: Re: [PHP-DEV] [RFC] Soft-Deprecate __sleep() and __wakeup()
In-Reply-To: <CAOWwgpk1Z_bns=Z55TqpYOBXvBGpurMfjTGPSgQ6Uf5QXfLOjg@mail.gmail.com>
References: <CAOWwgpk1Z_bns=Z55TqpYOBXvBGpurMfjTGPSgQ6Uf5QXfLOjg@mail.gmail.com>
Message-ID: <cddcbba0366184b616e34637b424645e@bastelstu.be>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=)

Hi

Am 2025-09-05 17:53, schrieb Nicolas Grekas:
> Hello internals,
> 
> Following the discussion that started at
> https://externals.io/message/128226#128456 I wrote this RFC to 
> formalize
> our consensus on the topic.
> 
> TL;DR, this is about converting the deprecation of __sleep and __wakeup 
> to
> a documentation-based soft deprecation:
> https://wiki.php.net/rfc/soft-deprecate-sleep-wakeup

Thank you for the RFC. I have some comments:

1.

I disagree with the phrasing that the RFC passed with a “narrow margin”. 
While it is technically true, that this is the narrowest margin for 
accepting an RFC, the necessary margins are already biased in favor of 
not accepting an RFC. That the RFC was accepted means that a significant 
majority of voters were in favor of the deprecation. I did not vote, 
since I did not have sufficient time to form an opinion on the RFC, but 
given the knowledge I've gained as part of the discussion I would now 
vote in favor of the RFC.

2.

The examples are biased. As an example, the initial “User” example has a 
serialization hook that is completely useless. The other examples try to 
replicate `__sleep()`'s broken behavior exactly, which seems to be a 
relevant requirement in the real world for only a minority of users.

3.

Similarly, I believe that the RFC *overstates* the cost of the 
deprecation. From my experience a majority of serialization hooks will 
just unconditionally throw an exception to prevent serialization. The 
truth is probably somewhere in the middle.

4.

The RFC correctly acknowleges that `__sleep()` is broken with regard to 
private properties, but at the same time claims that the deprecation 
does not fix a “correctness problem”, which is a contradiction.

5.

The serialization mechanism is also a security sensitive part of the 
language, the fewer moving parts there are, the better. Security is part 
of the motivation for me.

----------------------

That all said, as I've said before: I see that replacing __wakeup() by 
__unserialize() is non-trivial and I would be okay with deferring that 
one until we have some helper (e.g. `**s**et_mangled_object_vars`). But 
__sleep() can just go away.

Best regards
Tim Düsterhus