On 26.07.2024 at 12:03, Gina P. Banyard wrote:
> Stephen Rees-Carter, a security expert that has performed countless security
> audits on Wordpress and Laravel websites, would like to disagree with the
> fact that it is not enough of a good reason. [1]
> A warning on a documentation page is useless, as nobody is forced to read it.
Right, but even a deprecation notice is likely to be ignored by those
(either use the shut-up operator, or use hash("md5), or maybe a polyfill
to support old PHP versions), so the deprecation wouldn't help in such
cases.
(I've recently seen a new release of a software which still uses
<https://www.openwall.com/phpass/>. Apparently, the notice to prefer
the password_*() API has been ignored or overlooked.)
On the other hand, I'm quite confident that a deprecation could be
useful for some developers, who would at least reconsider the use of
md5/sha1 hashes, but just have overlooked this; although some static
analysis should report respective issues. However, there is certainly
code without any static analysis, where at least this discussion appears
to be helpful, e.g. our php-sdk-binary-tools might reconsider their use
of md5() and md5(uniqid())[2].
Note that I'm not against these deprecations, but I'm also not strongly
in favor. I see valid arguments from both proponents and opponents.
> [1] https://x.com/valorin/status/1816593881791860963
[2] <https://github.com/php/php-sdk-binary-tools/issues/21>
Cheers,
Christoph
