Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62946
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94930 invoked from network); 11 Sep 2012 11:41:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Sep 2012 11:41:42 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:43419] helo=mail-lb0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 64/D0-24398-4732F405 for <internals@lists.php.net>; Tue, 11 Sep 2012 07:41:40 -0400
Received: by lbbgp3 with SMTP id gp3so294383lbb.29
        for <internals@lists.php.net>; Tue, 11 Sep 2012 04:41:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=JD8Z0g1A+Mg5HD8YYqWovG3SOD8Kovb12FHnhTaxcKE=;
        b=KngsGQSfMWDEZ4t2q8IvCJGMDhJ27kIpfC+lqsHyzK+O5xx9E0LlcklLoEdLvStyXC
         ZYsw4Pv4/FPcK4xorQnq8kTB8F8jJb1FvTxNw9FLhOBGOp2y4m2CRkxZus8p18IkbIbY
         B1C4nM9fHeu00T+1vDzrTf9AR7/DHwKozLvj/aX8c4AiyybXSH7QRLoYevbBSEs/RV9y
         3yXVf7geRPgGVinU3WLXF5EA+OA74O/h8deoBQOeiCm9MIh0Vc+F98u7VClVis9GGkTQ
         j02GMenSUvwc2/+A+Tj69JerVsHfoRa266Eip01nDuJCS9mxuwqz+QQ9pjpOgz6BPY5x
         y8jQ==
MIME-Version: 1.0
Received: by 10.112.82.225 with SMTP id l1mr2969817lby.95.1347363696426; Tue,
 11 Sep 2012 04:41:36 -0700 (PDT)
Received: by 10.114.22.1 with HTTP; Tue, 11 Sep 2012 04:41:36 -0700 (PDT)
In-Reply-To: <CAEZPtU6ssaABEd3ot54kZ1TAv7kKMFiOxa2dMq_+RMfoMr0AKg@mail.gmail.com>
References: <CAAyV7nHZ6Kr7yKF0B-UgauN6eKKxRsqCztP9w9hUzOdiPLHYAw@mail.gmail.com>
	<CADNQb0USW3j7BWEjvDwOdCKoLy3xVJ8eCRjZ610ekKmTL7R9VQ@mail.gmail.com>
	<CAAyV7nGA=1pWLj1G+X1EvoNB0jb4ji6oJ2tGZNwXH=CCae_9wA@mail.gmail.com>
	<CADNQb0XRrh21QX1qmqvHpvONRSOARXQpC8XroCFiw2z6F2Px5Q@mail.gmail.com>
	<504E6862.4080608@sugarcrm.com>
	<CAEZPtU6ssaABEd3ot54kZ1TAv7kKMFiOxa2dMq_+RMfoMr0AKg@mail.gmail.com>
Date: Tue, 11 Sep 2012 07:41:36 -0400
Message-ID: <CAAyV7nGgZp2RkvhUTPBZPCsKOFKDBPtPqJipxJikGo4tjis4JA@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, Hannes Magnusson <hannes.magnusson@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d04016b15823d8a04c96b8ee9
Subject: Re: [PHP-DEV] [VOTE] Add simplified password hashing API
From: ircmaxell@gmail.com (Anthony Ferrara)

--f46d04016b15823d8a04c96b8ee9
Content-Type: text/plain; charset=ISO-8859-1

Pierre,

On Tue, Sep 11, 2012 at 2:14 AM, Pierre Joye <pierre.php@gmail.com> wrote:

> hi Stas,
>
> On Tue, Sep 11, 2012 at 12:23 AM, Stas Malyshev <smalyshev@sugarcrm.com>
> wrote:
> > OTOH, PECL module that can be built in 5.3/5.4 too might be nice. Not
> > everybody is going to upgrade to 5.5 soon, so having them participate
> > would be good too. Maybe we could do it as a module and have it workable
> > as PECL too for those who are not on 5.5? PHP solution is not really the
> > same - if we have two separate codebases, nobody can be sure they
> > actually do the same thing.
>
> Yes, that's actually what I wanted to ask as well for this ext. But
> I'm not sure it is easy as it relies on PHP APIs which were no exposed
> in 5.3 nor 5.4. Maybe we could expose them in the next releases (to
> check which).
>

That is correct. It involved refactoring crypt() internally to expose an
internal API for php_crypt:

https://github.com/ircmaxell/php-src/blob/hash_password/ext/standard/crypt.c#L148

It's not the end of the world, because we can copy/paste that function into
the PECL extension, and just conditionally include it. There would be
duplication between the two, but it wouldn't be too bad...

However maintaining both core and pecl can be sometimes time consuming
> (hours matter, not days :), but it is definitively a great way to
> provide updates more frequently or to provide more tests releases
> (beta).
>
> Anthony, is it something you would consider? It could also help to
> speed up the adoption.
>

Consider? Sure. But I'm not sure it's worth while. Stas brought up the
adoption point, which I think is the kicker. The target audience for this
API is not the type that usually has access to install PECL extensions. So
while some may use it as an extension, the majority who would significantly
benefit from it wouldn't be able to. So the benefit to releasing it as a
PECL extension would basically defeat the point...

And to Stas's point about the PHP solution not being the same, I fail to
understand why. It's built using identical algorithms (translated from C to
PHP as best as possible). It's tested using the same tests with the only
difference surrounding error messages. Plus it's portable (can be used on
shared hosts). The only real difference is testing the PHP version doesn't
say anything to the *security* of the C version. But it does test the API
and the concept...

Anthony

--f46d04016b15823d8a04c96b8ee9--