Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80438
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91041 invoked from network); 13 Jan 2015 09:09:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jan 2015 09:09:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.182 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 209.85.212.182 mail-wi0-f182.google.com  
Received: from [209.85.212.182] ([209.85.212.182:56222] helo=mail-wi0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A5/40-21787-5D0E4B45 for <internals@lists.php.net>; Tue, 13 Jan 2015 04:09:42 -0500
Received: by mail-wi0-f182.google.com with SMTP id h11so2325797wiw.3
        for <internals@lists.php.net>; Tue, 13 Jan 2015 01:09:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=mGfC/GM275hRig2RX/KnrZShlfj8mSg2Gpbn9sm/JJU=;
        b=CA9Mgt9Hma6lKMPbVE92WF3iSebD29P18/iDbpdR2id20woF6hGAiS5vOp00+Mj/9n
         Uk5YCoOYDtbJ8lAa8wWZsrCIwfSo6gysMUYXdLVZeWeu1HjvGoV567aN4Ekyx4i5ePy9
         d6WoCboS0tXfFZ8mOyqxR2JXDWBqP/1Q7FfT8clc+S9Veced/MgAwrzjskGPuU4VWp+m
         +FLnK8ov/nUGblBklOv1Dfysp094SgALUlrimCj8LzjYw1DfSVgXwux6iP2cTocjy1td
         ylFmzYiuCpBYaxXtBhI4IoN96T6mCQUKTiaFRfFq9hKEamBjPMlWHUTQqn8nUAeiemmt
         aILQ==
MIME-Version: 1.0
X-Received: by 10.194.200.234 with SMTP id jv10mr2758586wjc.110.1421140177314;
 Tue, 13 Jan 2015 01:09:37 -0800 (PST)
Received: by 10.216.50.139 with HTTP; Tue, 13 Jan 2015 01:09:37 -0800 (PST)
In-Reply-To: <CAAyV7nHCi3hhmQ3h9AgKj4OOSx+DCRy7ZPGUA8+=aUG5dB782A@mail.gmail.com>
References: <CAAyV7nHCi3hhmQ3h9AgKj4OOSx+DCRy7ZPGUA8+=aUG5dB782A@mail.gmail.com>
Date: Tue, 13 Jan 2015 09:09:37 +0000
Message-ID: <CAPwsocG6kC-5e=Srbwya+N0_h7aHT6DLWpF-sstn2dvd3FFu1g@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Crypt Warnings (was PHP 5.5.21RC1 is ready for testing)
From: leight@gmail.com (Leigh)

On 9 January 2015 at 16:45, Anthony Ferrara <ircmaxell@gmail.com> wrote:
>
> Changing this fallback behavior to the correct error should happen.
> However, this will likely break a number of live systems which are
> currently relying on the incorrect behavior (likely without knowing
> it).

I'd call this a sec fix. Absolutely preferable to have an error than a
silent fallback to broken crypto.

>
> Then in a future version (7.1, 8, whatever) remove the fallback and
> keep the error along with returning a failure indication (*0).
>

Is 7 really too soon? I know we err on the side of compatibility, but
in my opinion the fallback should be removed completely (any salt
starting with a $ must not degrade to any other method).