Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:62933 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8392 invoked from network); 10 Sep 2012 21:46:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Sep 2012 21:46:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender) X-PHP-List-Original-Sender: hannes.magnusson@gmail.com X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com Received: from [209.85.217.170] ([209.85.217.170:43756] helo=mail-lb0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 26/42-26944-9AF5E405 for ; Mon, 10 Sep 2012 17:46:18 -0400 Received: by lbbgp3 with SMTP id gp3so1613902lbb.29 for ; Mon, 10 Sep 2012 14:46:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=56f6pYPWCEZMuSZHpPZDWPwxr2fOjB7ea12OQ/fdb8o=; b=x4xyprTJ/WzN0Kvogi56y82noirU6S3ec56pBkHuTKCMZEP6K3mU2PdWpxb8uzfX1n 7HPkKn4Mv2P0gSAOBR2tj58xZ5/rc6EbW+SRLKt0W+onyE0xiGriifm3XoFtHnZul3hX NGzamKAOFiejuMSihyARDTyBwJq+gPAgUreodm68Ry7yVAtyJW83+GBz6XymNu6jdSu/ dSpRzd/xpeoIF49K61AyxMUNf5tQODfK9iRxjRtt8PKSZeOinO2syaqdC7xymBL2egU0 IVYagfXUiC2Ghdz+ayZ9TM+CnBvoajMV4kDKzydXhAf7MLRzJBGARL1Mviu+UQ/c4gXd zGjw== MIME-Version: 1.0 Received: by 10.112.26.38 with SMTP id i6mr5157147lbg.76.1347313574693; Mon, 10 Sep 2012 14:46:14 -0700 (PDT) Received: by 10.114.0.238 with HTTP; Mon, 10 Sep 2012 14:46:14 -0700 (PDT) In-Reply-To: References: Date: Mon, 10 Sep 2012 22:46:14 +0100 Message-ID: To: Anthony Ferrara Cc: internals@lists.php.net Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [VOTE] Add simplified password hashing API From: hannes.magnusson@gmail.com (Hannes Magnusson) On Mon, Sep 10, 2012 at 3:31 PM, Anthony Ferrara wrote: > Hannes, > > On Sun, Sep 9, 2012 at 12:23 PM, Hannes Magnusson > wrote: >> >> On Tue, Sep 4, 2012 at 3:16 PM, Anthony Ferrara >> wrote: >> > Hello all, >> > >> > I'm opening the vote for the simplified password hashing API indicated >> > here: >> > >> > https://wiki.php.net/rfc/password_hash >> > >> >> >> I like the idea, but I don't understand why this isn't developed as an >> extension first and then brought into core when it has proven to work >> and actually simplify things for the user? > > > First off, this has been discussed on the list for literally months. Why > wait until the day before voting can end before bringing this up? So commenting is strictly forbidden during votes? > Secondly, the main reason for not developing this as an extension is that > there's really no benefit to it. There are little to no performance gains to > be had by the C implementation. It can live quite as easily as a PHP > library. The benefit is that it can be tested properly and bugs discovered and ironed out first. This is not the sort of thing you want to get security bug reports the day after its released in core. If your ego is big enough you can guarantee you have tested this thoroughly and want it to become the recommended way.. You have to be damn sure you don't fuck it up. This is exactly the sort of thing that doesn't need to be developed in the core tree, but can later be merged in once proven successful. Like I said, I really like the idea, just don't see why it isn't tested out as an pecl extension first. >> Especially considering the patch is unfinished. > > > Aside from adding a few more tests, what's unfinished? If you're referring > to the line in the RFC, I just haven't updated it. The patch has been worked > on and is in a place where I'd be comfortable submitting it... The test suite seems very limited, and the code seems to be waiting for more algorithms to be implemented. -Hannes