Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82148
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3447 invoked from network); 8 Feb 2015 16:38:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2015 16:38:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:54950] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C0/14-15550-C1197D45 for <internals@lists.php.net>; Sun, 08 Feb 2015 11:38:55 -0500
Received: from [10.242.16.174] (unknown [85.255.232.215])
	by xdebug.org (Postfix) with ESMTPSA id 88EAFE202E;
	Sun,  8 Feb 2015 16:38:49 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <D0FCED17.5D2CB%fsb@thefsb.org>
References: <D0FCED17.5D2CB%fsb@thefsb.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
 charset=UTF-8
Date: Sun, 08 Feb 2015 16:38:47 +0000
To: Tom Worster <fsb@thefsb.org>,php-internals <internals@lists.php.net>
Message-ID: <B36498AB-D50F-4718-8C13-A4957078BCA3@php.net>
Subject: Re: [PHP-DEV] Remove mycrypt. Vote ends Monday
From: derick@php.net (Derick Rethans)

Tom Worster <fsb@thefsb.org> schreef op 8 februari 2015 15:38:15 GMT+00:00:
>mycrypt was abandoned by its developers in 2007. The package in Debian
>is
>from 2009. It has been removed from RHEL.
>
>This is already unacceptable. But it would be an insult to the idea of
>"security" to include mcrypt in PHP 7.
>
>The vote to remove mcrypt is at present tied roughly 13:13. If you have
>a
>vote and haven't used it yet, I urge you to consider doing so. Voting
>ends
>tomorrow 2015-02-09 at 23:00 CET
>
>https://wiki.php.net/rfc/removal_of_dead_sapis_and_exts#extmcrypt

Btw, I only voted no because I don't think we should just remove it.  A reimplementation of its APIs on top of eg. Open SSL makes sense. And that I'd vote yes for.

Calling for a random deletion is misguided. 

Remember that just removing quite often used APIs doesn't help anybody. It is not unlikely that devs would rather rip out the encryption as a quick fix, than porting it to quite awful other APIs, or perhaps even a really slow PHP based implementation.

cheers, 
Derick - mcrypt extension author