On 2/10/2020 3:42 PM, Chase Peeler wrote:
On Mon, Feb 10, 2020 at 5:36 PM Mark Randall <marand...@php.net> wrote:
On 10/02/2020 21:49, Tom Van Looy via internals wrote:
I suggest to deprecated the functions md5_file() and sha1_file(). This
will
make people think about upgrading to a better alternative.
It won't.
At best it will make people switch to the hash function. At worst people
will not upgrade.
If people are using the existing md5 / sha1 algorithms, chances are it's
because they're actually wanting to get a hash to compare to something
that has already been stored.
There's not much point in deprecating the algorithm if we don't
eventually plan to remove it, and there is an exactly zero percent
chance of it being removed at any point in the next 50 years.
Mark Randall
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Why? What does deprecating those two functions do to make PHP a better
language? It doesn't add any new features. It doesn't fix any security
issues. It doesn't even take away the ability to perform the functionality
that they provide, since it still exists in the hash_file function.
If you don't like the function, then don't use it.
I'd be fine with someone just adding a Warning to the documentation that
MD5 and SHA-1 are known broken hashing algorithms when used for
*cryptographic/security* purposes. The algorithms and related functions
are completely fine though for other purposes such as detecting
single-bit changes in file data where something a little more robust
than CRC32 is needed but don't want to waste a lot of storage space.
md5() and sha1() already have basic warnings applied.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you will find useful.
http://cubiclesoft.com/
And once you find my software useful:
http://cubiclesoft.com/donate/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
