Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91857
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34159 invoked from network); 22 Mar 2016 18:24:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Mar 2016 18:24:52 -0000
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.44 as permitted sender)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.218.44 mail-oi0-f44.google.com  
Received: from [209.85.218.44] ([209.85.218.44:36150] helo=mail-oi0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E4/B0-30596-3FD81F65 for <internals@lists.php.net>; Tue, 22 Mar 2016 13:24:52 -0500
Received: by mail-oi0-f44.google.com with SMTP id r187so186758373oih.3
        for <internals@lists.php.net>; Tue, 22 Mar 2016 11:24:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=vNxRgiWKvqgqvjjC5NHq0SSV4807AqEhpWc9Ii5RBNI=;
        b=qaA04XXDo6q+NvF6ieBcCg4QaLx3JEbcy/ApMiDgE2XGAdLCmiIHtjz5d3qMXBo9Pu
         SmVy+VwLYe3h6XcqTP8od6ek/nBvo4pPqziyemxSJWncqWG1dRK8YOlIKcZfNER4ZXH8
         KffstaTdHmWP8shDprtHxj0ERBOMFbgfKq5m2KwJLpJlQ96GXoxWPQlpDBVdcEYodUwI
         0e6ADpMpVPkLUDYh0bXp/JcfooO3g/RLAGmSSTOVRxwknycoucfeBTv5P4IT7x49lCWl
         Tr0uepo9Y0tjZh0g/5MbFLaqyrXyJ0BlBPukQMho9fmuNinkl62Hg5qsgJwmfoKXKNrP
         jaFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=vNxRgiWKvqgqvjjC5NHq0SSV4807AqEhpWc9Ii5RBNI=;
        b=PjBerv0FCvtdI01KRDZCUJXAoXnretcOozHc818H4wdOf/sEgnzLd6awhYFAlMMvtz
         PpVWb/sspYSPDY16ULLzUqT8J8UihbVRgUVtZt47TknxRUCW+9SGdbt0qUpSol8yBtZX
         Op0lGdWKvQbW49EGAU05/XQLn+i9U3zEUzzDMBG6DKzheOTQHUKC8IJbKM3E+6tdAmLw
         xGz+q0XfG9aK5SSrUw2zV0zyq6+xQiVujmGGxWx5QNhJu1wfLw3K3HWbWgI9JlOG9VOn
         FuEpyc6HQO+acEv3l1tYSi54bdpyD6Zfo7letEwTqWdLHk+CxR7LRXZvbDbtJcd824SZ
         OWoA==
X-Gm-Message-State: AD7BkJK2YzI49ZQnVxZwZrK20VmSjCKVS3fBOKbhVFMOAERVhzTAzf4Ng/BnjBieFCJ3pTEhXEJxIe5/ESdRYw==
MIME-Version: 1.0
X-Received: by 10.202.168.8 with SMTP id r8mr9412428oie.40.1458671089193; Tue,
 22 Mar 2016 11:24:49 -0700 (PDT)
Received: by 10.157.14.47 with HTTP; Tue, 22 Mar 2016 11:24:49 -0700 (PDT)
In-Reply-To: <CAF+90c_im1igitq9UJRXQ7UknmOSbE-_b_+bGpKvgAZd6585_w@mail.gmail.com>
References: <CAKws9z0ahvvd8z=Y5nSH8EmZPgA-6VMmOMsrc-SZSaPGb28Y-g@mail.gmail.com>
	<CAF+90c_im1igitq9UJRXQ7UknmOSbE-_b_+bGpKvgAZd6585_w@mail.gmail.com>
Date: Tue, 22 Mar 2016 14:24:49 -0400
Message-ID: <CAKws9z0a4wf=_K2gTsw7yptMvn9mHkmu5dpYwPpMTzTJ6PKzTA@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113a3c861db7de052ea75411
Subject: Re: [PHP-DEV] [RFC][VOTE] Deprecate then Remove Mcrypt Closed (23-6)
From: scott@paragonie.com (Scott Arciszewski)

--001a113a3c861db7de052ea75411
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 22, 2016 at 2:21 PM, Nikita Popov <nikita.ppv@gmail.com> wrote:

> On Tue, Mar 22, 2016 at 6:00 PM, Scott Arciszewski <scott@paragonie.com>
> wrote:
>
>> Hi all,
>>
>> https://wiki.php.net/rfc/mcrypt-viking-funeral
>>
>> The tally of closing (2016-03-22T17:00:00) is 23 Yes, 6 No. This is a
>> 79.3%
>> favorable response, which exceeds the 2/3 majority by a significant
>> margin.
>>
>> Thanks to everyone who voted or participated in this discussion.
>>
>> I've heard and respect some of the objections raised by folks who voted
>> No,
>> but moving this liability out of the core into PECL as soon as possible =
is
>> not only a good move for the security of PHP applications, but now we kn=
ow
>> it's the choice the community wants.
>>
>> As promised, I'll get the E_DEPRECATED patch written soon.
>>
>> Additionally, I will have a decrypt-only mcrypt polyfill project written
>> hopefully before 7.1.0-alpha but definitely before 7.1.0. This will allo=
w
>> people to migrate towards something better, e.g.
>> openssl_encrypt()/openssl_decrypt().
>>
>
> I wonder if we should retain support mcrypt_create_iv(), while dropping
> the rest of mcrypt. mcrypt_create_iv(), while being prefixed with mcrypt_=
,
> has absolutely nothing to do with libmcrypt, it only landed in that
> namespace out of convenience. Prior to PHP 7 it was probably the best
> source of cryptographically strong randomness in PHP.
>
> Nikita
>

Given that mcrypt_create_iv() was part of the extension (which was actively
maintained) and not part of the library (which was abandonware), it would
be in the spirit of what was voted on to keep it (at least as an alias for
random_bytes()). However, that was not covered by what everyone voted for.
How would you like to proceed?

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com/>=E2=80=8B

--001a113a3c861db7de052ea75411--