Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82289 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67729 invoked from network); 9 Feb 2015 15:28:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Feb 2015 15:28:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.139 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 67.192.241.139 smtp139.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.139] ([67.192.241.139:36637] helo=smtp139.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 73/D6-50460-F02D8D45 for ; Mon, 09 Feb 2015 10:28:15 -0500 Received: from smtp26.relay.dfw1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp26.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 20273280153; Mon, 9 Feb 2015 10:28:12 -0500 (EST) Received: by smtp26.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 526D528013B; Mon, 9 Feb 2015 10:28:11 -0500 (EST) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] ([UNAVAILABLE]. [73.4.147.142]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.4.2); Mon, 09 Feb 2015 15:28:12 GMT User-Agent: Microsoft-MacOutlook/14.4.7.141117 Date: Mon, 09 Feb 2015 10:28:08 -0500 To: Stanislav Malyshev , php-internals Message-ID: Thread-Topic: [PHP-DEV] Remove mycrypt. Vote ends Monday References: <54D7EFF3.8070408@gmail.com> In-Reply-To: <54D7EFF3.8070408@gmail.com> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Subject: Re: [PHP-DEV] Remove mycrypt. Vote ends Monday From: fsb@thefsb.org (Tom Worster) On 2/8/15, 6:23 PM, "Stanislav Malyshev" wrote: >The better alternative you proposing is having no mcrypt extension at >all in core. Which means the users have three choices: > >1. Rewrite all their code to a different API (with accompanying costs in >development, QA, stability, maintenance of code base now having two >APIs, etc.) >2. Do not upgrade to PHP 7 >3. Use the same extension from PECL > >Option 1 however is very expensive, so it is unlikely most of the users >will choose it. > >Both options 2 and 3 make the security situation for an average user >worse, as not upgrading means eventually falling out of supported >versions - and we're doing *very bad* in this regard, over 46% of the >users run EOLed versions now and less than 1% run current stable - and >running PECL one means most core devs will pay next to zero attention to >it. As a PHP user, I have no interest in running the latest release. I'll stay on 5.5 until the next LTS is mature. I know a lot of PHP users who have a similar attitude: it is sufficient to be on a supported version. People are scared of the bleeding edge and I think that goes a long way to explaining the 1%. Trying to improve these numbers by bringing along a crypto lib that's been abandoned 8 years ago just doesn't strike me as either justified or plausible. mcrypt is not the difference that makes conservatives like me jump onto the latest release. Nor is it going to help the 43%, which, I imagine, represents apps that aren't ever going to see further development and lazy hosting. I also disagree with your analysis. There is simply no hurry to get onto PHP 7, so I have time to get rid of mycrypt, something I must do ASAP regardless whether it is in PHP 7 or not. In any case, I'll stop discussing this now. The vote outcome won't change in the next 6.5 hours. Tom