Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81665
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78894 invoked from network); 2 Feb 2015 22:48:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2015 22:48:36 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.214.176 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.214.176 mail-ob0-f176.google.com  
Received: from [209.85.214.176] ([209.85.214.176:64181] helo=mail-ob0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 69/1B-25089-3CEFFC45 for <internals@lists.php.net>; Mon, 02 Feb 2015 17:48:36 -0500
Received: by mail-ob0-f176.google.com with SMTP id wo20so10673479obc.7
        for <internals@lists.php.net>; Mon, 02 Feb 2015 14:48:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=GfrnilJr3RUtDPVQN/N/E/gJdSZ/OfSH89tsjfkw/Kc=;
        b=WS0SpDhK7E0FlB/OuRrLdbmrFd1Y1o4yqJfT+LR8bABieD5zdnY+cOFDtiFS7v2PqI
         bcntMHxpMEdHsQOVZOLbdnQeDfJ52zyyxMkG4w5kUsTKqbMtmxSZgO/5Zcc5ioGJ+2jD
         p3/JOLHI/eJVdyg08x/i9QnsrpmEafnIv4SIg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=GfrnilJr3RUtDPVQN/N/E/gJdSZ/OfSH89tsjfkw/Kc=;
        b=NFaaakkQqv/ul8OJASgzGpJHRNW9FUx6IF7Loshv/FAgokknjVeWcJYpTf8jLI7uEW
         DUCD5Y46hf1tpi1UiKii/zRQzy0TncnSaCWcIN2y/NrcZHi7X+MbQdQWu3UOlOTV0yck
         Mjq3hyKvCc25bZI86O4kOr73YwPWg1CJhu+QcOOM4B8KNWkFXMJ+MlwFjqPywDoa5nUJ
         zYkfYAwe5hsnGJjBAiITGo6yZpcQMKUF8OkrjlDahVTOyxz6okQnaPUJuq3dk/OInR+s
         DmZ85CAnT90SlOG1DtQa2ZW4XWZ62SJ8avfPhX7FMSpoa9Ayg6mdsDQR5nEjbvPizN/m
         bH+w==
X-Gm-Message-State: ALoCoQlC3yUvAGbJ9ICvxbSoZ0kLKh3KYC9GSTBGPqpafrunH8uFQWrD50wi8TR09X0xIs6+Ca2R
MIME-Version: 1.0
X-Received: by 10.202.169.208 with SMTP id s199mr12682479oie.21.1422917311641;
 Mon, 02 Feb 2015 14:48:31 -0800 (PST)
Received: by 10.202.214.205 with HTTP; Mon, 2 Feb 2015 14:48:31 -0800 (PST)
In-Reply-To: <d7b2a3b103b4bad34c70cf02365d8ff9.squirrel@webmail.klapt.com>
References: <cef015a176ff63284f81af24f1e3d774.squirrel@webmail.klapt.com>
	<CAF+90c-dG_jd2LrzbRT2+DXLi+oQj1sien7560KreKm-gQ=Cug@mail.gmail.com>
	<CAPhkiZw0Bqx_rgx6TO-W6Mmfza9L3qB6p6u-n3X_DXeCX2r+Zw@mail.gmail.com>
	<CAPhkiZwaPc6iLjezhhxmKUNE2fj17tN6s7nuL=mvK7NwN7RpBA@mail.gmail.com>
	<2ebcb8f91e4185726e4bf49d5e675c2a.squirrel@webmail.klapt.com>
	<CAPhkiZynQoD72NL7s1g2zZbck9uxOY2LLk33G5ExUE-M2fs8Sg@mail.gmail.com>
	<d7b2a3b103b4bad34c70cf02365d8ff9.squirrel@webmail.klapt.com>
Date: Tue, 3 Feb 2015 00:48:31 +0200
Message-ID: <CAPhkiZyxV5+Dzxzyw5Sbtx95dvsw_+Jem0yv3xFnfmwdaPHF8w@mail.gmail.com>
To: Anatol Belski <anatol.php@belski.net>
Cc: Nikita Popov <nikita.ppv@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Removal of dead or not yet PHP7 ported
 SAPIs and extensions
From: narf@devilix.net (Andrey Andreev)

Hi,

On Tue, Feb 3, 2015 at 12:16 AM, Anatol Belski <anatol.php@belski.net> wrote:
>>>>
>>>> Mcrypt might be dead, but removing it would be a huge BC break. There
>>>>  was some talk of binding mcrypt_*() functions to ext/openssl - I'd
>>>> suggest that instead of removal.
>>>>
>>> that sounds plausible, but the same one could say about mapping to be
>>> removed regex to pcre. If anything of that is going to be happening, so
>>> I
>>> would welcome another RFC and implementation.
>>>
>>
>> Not quite ... ereg has been deprecated since PHP 5.3, while mcrypt was
>> never deprecated and is extremely wide-spread in PHP code (that does
>> encryption) today.
>>
> yeah, looking at the openssl you've mentioned, and which was vulnerable to
> any possible attacks last years, and has fixed those ... Asking myself,
> how a library which wasn't updated since like eight years does feel :) Can
> it still provide that really secure encryption? And should one provide
> something like that as a secure solution?
>
> Comparing with regex I meant, one could provide a replacing API. Just
> where with regex it's more like functionality breach (whereby security as
> well, as that lib wasn't revisited maybe for much longer than mcrypt),
> with mcrypt it's a security weakness we would still try to sell for safe.
>

Well, obviously mcrypt *has* to go away at some point - there's no
doubt about it.

I'm just saying it would be a massive BC break if that happens with no
prior deprecation. If somebody has the motivation to make the userland
API bind to ext/openssl under the hood, that's just a bonus in at
least depending on maintained code.

Cheers,
Andrey.