On Fri, Jul 26, 2024, at 11:11 AM, Christoph M. Becker wrote:
> On 26.07.2024 at 12:03, Gina P. Banyard wrote:
>
>> Stephen Rees-Carter, a security expert that has performed countless security
>> audits on Wordpress and Laravel websites, would like to disagree with the
>> fact that it is not enough of a good reason. [1]
>> A warning on a documentation page is useless, as nobody is forced to read it.
>
> Right, but even a deprecation notice is likely to be ignored by those
> (either use the shut-up operator, or use hash("md5), or maybe a polyfill
> to support old PHP versions), so the deprecation wouldn't help in such
> cases.
>
> (I've recently seen a new release of a software which still uses
> <https://www.openwall.com/phpass/>. Apparently, the notice to prefer
> the password_*() API has been ignored or overlooked.)
>
> On the other hand, I'm quite confident that a deprecation could be
> useful for some developers, who would at least reconsider the use of
> md5/sha1 hashes, but just have overlooked this; although some static
> analysis should report respective issues. However, there is certainly
> code without any static analysis, where at least this discussion appears
> to be helpful, e.g. our php-sdk-binary-tools might reconsider their use
> of md5() and md5(uniqid())[2].
>
> Note that I'm not against these deprecations, but I'm also not strongly
> in favor. I see valid arguments from both proponents and opponents.
>
>> [1] https://x.com/valorin/status/1816593881791860963
>
> [2] <https://github.com/php/php-sdk-binary-tools/issues/21>
>
> Cheers,
> Christoph
One thing to remind people about, the deprecations for md5(), sha1(), and
uniqid() explicitly say they cannot be outright removed before PHP 10. That's
at least 6 years away. That gives a loooooong time for documentation,
tutorials, instructions, and code to be updated.
That long deprecation period is the reason why I was comfortable voting yes.
This isn't something that would happen tomorrow. It would be in at least two
presidential elections from now.
--Larry Garfield
