Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82151
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8687 invoked from network); 8 Feb 2015 17:07:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2015 17:07:46 -0000
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.139 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 67.192.241.139 smtp139.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.139] ([67.192.241.139:39768] helo=smtp139.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 87/15-15550-1E797D45 for <internals@lists.php.net>; Sun, 08 Feb 2015 12:07:46 -0500
Received: from smtp14.relay.dfw1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp14.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 9B9978015E;
	Sun,  8 Feb 2015 12:07:42 -0500 (EST)
Received: by smtp14.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id C7F1C80098;
	Sun,  8 Feb 2015 12:07:41 -0500 (EST)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] ([UNAVAILABLE]. [73.4.147.142])
	(using TLSv1 with cipher DES-CBC3-SHA)
	by 0.0.0.0:465 (trex/5.4.2);
	Sun, 08 Feb 2015 17:07:42 GMT
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Sun, 08 Feb 2015 12:07:37 -0500
To: Derick Rethans <derick@php.net>,
	php-internals <internals@lists.php.net>
Message-ID: <D0FCFD05.5D2E3%fsb@thefsb.org>
Thread-Topic: [PHP-DEV] Remove mycrypt. Vote ends Monday
References: <D0FCED17.5D2CB%fsb@thefsb.org>
 <B36498AB-D50F-4718-8C13-A4957078BCA3@php.net>
In-Reply-To: <B36498AB-D50F-4718-8C13-A4957078BCA3@php.net>
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
Subject: Re: [PHP-DEV] Remove mycrypt. Vote ends Monday
From: fsb@thefsb.org (Tom Worster)

Hi Derick,

On 2/8/15, 11:38 AM, "Derick Rethans" <derick@php.net> wrote:
>
>Btw, I only voted no because I don't think we should just remove it.  A
>reimplementation of its APIs on top of eg. Open SSL makes sense. And that
>I'd vote yes for.

This idea makes me nervous. It doesn't sound at all easy and will take a
lot of time and effort. Commitment to maintaining a security lib over long
term is a big deal.


>Remember that just removing quite often used APIs doesn't help anybody.
>It is not unlikely that devs would rather rip out the encryption as a
>quick fix, than porting it to quite awful other APIs, or perhaps even a
>really slow PHP based implementation.

I actually think that it helps users if PHP 7 moves mycrypt to PECL. The
developers' quick fix is to continue to use mcrypt. In doing so they
should encounter the documentation with scary warning about its long
abandoned status.

I'm concerned that a lot of devs relying on mcrypt are not aware of its
status and/or what it means. This move would allow them to continue to use
mcrypt while making it clear that its time to plan for an alternative.

Tom