Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96543 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70361 invoked from network); 21 Oct 2016 20:14:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Oct 2016 20:14:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=daniel@honestempire.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=daniel@honestempire.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain honestempire.com designates 66.111.4.25 as permitted sender) X-PHP-List-Original-Sender: daniel@honestempire.com X-Host-Fingerprint: 66.111.4.25 out1-smtp.messagingengine.com Received: from [66.111.4.25] ([66.111.4.25:53722] helo=out1-smtp.messagingengine.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 73/75-28528-0177A085 for ; Fri, 21 Oct 2016 16:14:10 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 419FD20A42 for ; Fri, 21 Oct 2016 16:14:06 -0400 (EDT) Received: from web1 ([10.202.2.211]) by compute4.internal (MEProxy); Fri, 21 Oct 2016 16:14:06 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=honestempire.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=IBaj3VUbRDmVyMKqTJNRvNeRHAM=; b=1pEE3w cIb1RAllzD27kWzuvw4bECUgw8BXs4avAC71BNehjCLLayx/Si79O5KfqzkK6zwf dlmO5oetImuEjW05Bi7EeSAuSDy/Ltwd0wyawzDQVXMHi6E/r3J3qme/3Uq1ZBlx 1p5QarKdWhgh5vZAvf5lPo5rffAg4SHM1SYtk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=IBaj3VUbRDmVyMK qTJNRvNeRHAM=; b=Nn0+hI+9szKxah4DN0LKZkM2Hkx+wFsuYvlHoNBJ5gr5HI9 any2JrnujKBJgoqvJjW9TAW71rVCpuDy6YRodsNqgDG1fqhCk7gQkhchcV6azv7a 98FXfM542nFoEneIte5hUPYWcR1eDVUl6T5MBQxIM3Whf0h6GR1CKRm48prc= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 1FBFA9E72E; Fri, 21 Oct 2016 16:14:06 -0400 (EDT) Message-ID: <1477080846.2081666.763512329.3C3983E1@webmail.messagingengine.com> X-Sasl-Enc: uLXaBCAbW0xQWYoM05k41G0vm2IlRA/hq34HYjZmrx7K 1477080846 To: internals@lists.php.net MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-8de8db3f In-Reply-To: <7e9df76d-8327-94ea-ecb3-66f35e03b614@lsces.co.uk> References: <7e9df76d-8327-94ea-ecb3-66f35e03b614@lsces.co.uk> Date: Fri, 21 Oct 2016 21:14:06 +0100 Subject: Re: [PHP-DEV] Intention to move mcrypt to PECL From: daniel@honestempire.com (Daniel Morris) On Thu, 6 Oct 2016, at 11:41 AM, Lester Caine wrote: > It is already an established component in PHP and while it's use has > been discouraged for a long time, simply switching it off will break a > lot of legacy applications. How many applications that are not following standard security guidelines are not following basic security principles? It doesn't matter if it's an established component, a vulnerability is a vulnerability. BC shouldn't matter; especially for those who are not willing to patch their applications to use the latest information we have available to us. You either keep up with changes; or you don't. New majors, and even minors (if we're ignoring semantic versioning) should be able to change something, it should be up to the maintainers of an application to decide whether it's time to upgrade or not, internals shouldn't manage that for you. If you're using Composer, you can lock your dependencies to prevent your application from breaking. If you're up to date with the latest information, you can choose to evolve. Mcrypt, now (I think) belongs in PECL, I will be looking at (a major) code repository over the next few weeks and looking to provide a simple upgrade path. DM