Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82191 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80982 invoked from network); 8 Feb 2015 23:23:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Feb 2015 23:23:53 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.50 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.50 mail-pa0-f50.google.com Received: from [209.85.220.50] ([209.85.220.50:63601] helo=mail-pa0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B5/BA-26926-800F7D45 for ; Sun, 08 Feb 2015 18:23:52 -0500 Received: by mail-pa0-f50.google.com with SMTP id hz1so913243pad.9 for ; Sun, 08 Feb 2015 15:23:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=a6Xu++yLAL1Syul2MeSPx+jw6pmjleItB65TG/6rn00=; b=bG+gqrl1oDxhG5UB8httbh3hVBjn9683iHhGtW1l/ZHmhM3fM46vFMdcO6ofM2q/JI uouIwFxS+uLDN92Js4Cjufc6AI27jfD5VlzR2VLCNlzsPnf8YIf0RMtteyevMT0g6OeH RgfoNguyY46Qbu8d5kdR4iHDzpqTCl535zgVrxfYwEPsyYN5XbrU6Ij6alTVNoWL0MI6 R4bY6sqFiokgLXPmzVwqN8frW3MQfk917+fye0m+IosQlhFzUvl1FqupFTnyDwYUpsL5 LHrGvY7vy5y1dC0z3v/MND5kYVACENw8/g+XLpTI0I5RWgAXwZxodVosFXWUzv4XRxfT 4AXg== X-Received: by 10.66.217.164 with SMTP id oz4mr24123024pac.155.1423437829851; Sun, 08 Feb 2015 15:23:49 -0800 (PST) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id cb9sm14483347pad.46.2015.02.08.15.23.48 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Feb 2015 15:23:49 -0800 (PST) Message-ID: <54D7EFF3.8070408@gmail.com> Date: Sun, 08 Feb 2015 15:23:31 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Tom Worster , Derick Rethans , php-internals References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Remove mycrypt. Vote ends Monday From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > On 2/8/15, 11:38 AM, "Derick Rethans" wrote: >> >> Btw, I only voted no because I don't think we should just remove it. A >> reimplementation of its APIs on top of eg. Open SSL makes sense. And that >> I'd vote yes for. > > This idea makes me nervous. It doesn't sound at all easy and will take a > lot of time and effort. Commitment to maintaining a security lib over long > term is a big deal. The better alternative you proposing is having no mcrypt extension at all in core. Which means the users have three choices: 1. Rewrite all their code to a different API (with accompanying costs in development, QA, stability, maintenance of code base now having two APIs, etc.) 2. Do not upgrade to PHP 7 3. Use the same extension from PECL Option 1 however is very expensive, so it is unlikely most of the users will choose it. Both options 2 and 3 make the security situation for an average user worse, as not upgrading means eventually falling out of supported versions - and we're doing *very bad* in this regard, over 46% of the users run EOLed versions now and less than 1% run current stable - and running PECL one means most core devs will pay next to zero attention to it. -- Stas Malyshev smalyshev@gmail.com