On Fri, Jul 26, 2024, at 11:11 AM, Christoph M. Becker wrote: > On 26.07.2024 at 12:03, Gina P. Banyard wrote: > >> Stephen Rees-Carter, a security expert that has performed countless security >> audits on Wordpress and Laravel websites, would like to disagree with the >> fact that it is not enough of a good reason. [1] >> A warning on a documentation page is useless, as nobody is forced to read it. > > Right, but even a deprecation notice is likely to be ignored by those > (either use the shut-up operator, or use hash("md5), or maybe a polyfill > to support old PHP versions), so the deprecation wouldn't help in such > cases. > > (I've recently seen a new release of a software which still uses > <https://www.openwall.com/phpass/>. Apparently, the notice to prefer > the password_*() API has been ignored or overlooked.) > > On the other hand, I'm quite confident that a deprecation could be > useful for some developers, who would at least reconsider the use of > md5/sha1 hashes, but just have overlooked this; although some static > analysis should report respective issues. However, there is certainly > code without any static analysis, where at least this discussion appears > to be helpful, e.g. our php-sdk-binary-tools might reconsider their use > of md5() and md5(uniqid())[2]. > > Note that I'm not against these deprecations, but I'm also not strongly > in favor. I see valid arguments from both proponents and opponents. > >> [1] https://x.com/valorin/status/1816593881791860963 > > [2] <https://github.com/php/php-sdk-binary-tools/issues/21> > > Cheers, > Christoph
One thing to remind people about, the deprecations for md5(), sha1(), and uniqid() explicitly say they cannot be outright removed before PHP 10. That's at least 6 years away. That gives a loooooong time for documentation, tutorials, instructions, and code to be updated. That long deprecation period is the reason why I was comfortable voting yes. This isn't something that would happen tomorrow. It would be in at least two presidential elections from now. --Larry Garfield