On 26.07.2024 at 12:03, Gina P. Banyard wrote: > Stephen Rees-Carter, a security expert that has performed countless security > audits on Wordpress and Laravel websites, would like to disagree with the > fact that it is not enough of a good reason. [1] > A warning on a documentation page is useless, as nobody is forced to read it.
Right, but even a deprecation notice is likely to be ignored by those (either use the shut-up operator, or use hash("md5), or maybe a polyfill to support old PHP versions), so the deprecation wouldn't help in such cases. (I've recently seen a new release of a software which still uses <https://www.openwall.com/phpass/>. Apparently, the notice to prefer the password_*() API has been ignored or overlooked.) On the other hand, I'm quite confident that a deprecation could be useful for some developers, who would at least reconsider the use of md5/sha1 hashes, but just have overlooked this; although some static analysis should report respective issues. However, there is certainly code without any static analysis, where at least this discussion appears to be helpful, e.g. our php-sdk-binary-tools might reconsider their use of md5() and md5(uniqid())[2]. Note that I'm not against these deprecations, but I'm also not strongly in favor. I see valid arguments from both proponents and opponents. > [1] https://x.com/valorin/status/1816593881791860963 [2] <https://github.com/php/php-sdk-binary-tools/issues/21> Cheers, Christoph