Hi
On 7/8/24 07:25, Andreas Heigl wrote:
I don't mind putting the work in when there is a good justification, but
I don't see one for this deprecation.
The only one I can see is cleaning up the codebase and removing
duplicate methods.
But the RFC definitely states that it is to "encourage users to use a
secure hash functions, instead of using an insecure algorithm"
Which is fine. But I am totally with you that deprecating a function by
encouraging users to use the same insecure algorithm via a different
function is ... an interesting take to say the least.
Gina already mentioned it in the long email from earlier today, but for
reference:
The intention is that the users do not perform a mindless search and
replace, but instead use the opportunity to re-evaluate the choice on a
case by case basis.
Cleaning up the codebase is not a concern, because the implementation of
the functions is trivial.
However cleaning up the documentation and API surface *is* something
that is useful. As an example it is easier for the (inexperienced) user
to navigate the documentation, because all the hashing functionality is
available by the standard 'hash' functions. It also makes maintaining
the documentation easier. As an example a few months ago, I updated all
the examples to no longer showcase 'md5' and instead showcase the usage
of 'sha256':
https://github.com/php/doc-en/commit/20dcfbb0dd7150cbe5dfd7903a3001229295c549
Of course the functions still support MD5, but now the documentation
shows current best practices. Anyone whom I trust to use MD5 safely, I
also trust to understand how to use it by means of the hash() function
and for all the others the examples will be helpful in writing safer code.
Also once the users migrated to the hash() function, they will be able
to switch out algorithms much more easily going forward, because the
algorithm choice can easily be stored in a central configuration and
passed as a string. (no, no one calls functions using a dynamic name).
In other words, the goal of the proposal is the anticipated positive
downstream effects in overall ecosystem safety and simplified learning
curve for new PHP developers.
Best regards
Tim Düsterhus