Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4

Sun, 07 Jul 2024 22:26:16 -0700 

Hey all

Am 08.07.24 um 07:05 schrieb Juliette Reinders Folmer:

On 8-7-2024 6:57, Andreas Heigl wrote:



Am 08.07.24 um 05:04 schrieb Juliette Reinders Folmer:
[...]



I also don't agree that there are "more appropriate replacements 
available".
The  suggested `hash()` replacements for the md5/sha1* functions have 
the exact same functionality, which the RFC considers "incorrect 
use", so what are we actually solving by this deprecation ? Devs not 
having enough to do already ?
The problem (for open source) with "force-replacing" the uses of 
`md5/sha1*` functions with the `hash` function calls, is that the 
hash extension was not part of PHP core until PHP 7.4, which means 
that for a significant number of open source projects, the 
replacement is not a one-on-one function call replacement, but needs 
guard code for PHP < 7.4 in case the hash extension is not available.



From the docs it looks like the hash function was part of the core 
since php 5.1.2 but perhaps I read that wrongly from the docs.



Anyhow, a replacement could possibly be to declare a userland function 
that then does the version check and either calls the respective 
function directly or delegates to the hash-function.





Agreed, but the fact that it is solvable, is not a justification for 
adding "busy-work" when the replacement for the deprecated function is, 
by all accounts, just as bad/incorrect as the original....



I don't mind putting the work in when there is a good justification, but 
I don't see one for this deprecation.

The only one I can see is cleaning up the codebase and removing 
duplicate methods.



But the RFC definitely states that it is to "encourage users to use a 
secure hash functions, instead of using an insecure algorithm"



Which is fine. But I am totally with you that deprecating a function by 
encouraging users to use the same insecure algorithm via a different 
function is ... an interesting take to say the least.



So with *that* argumentation I am also in the camp to say 'thanks, but 
no thanks' to that part of the RFC.


Cheers

Andreas

--
                                                              ,,,
                                                             (o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl                                                       |
| mailto:andr...@heigl.org                  N 50°22'59.5" E 08°23'58" |
| https://andreas.heigl.org                                           |
+---------------------------------------------------------------------+
| https://hei.gl/appointmentwithandreas                               |
+---------------------------------------------------------------------+
| GPG-Key: https://hei.gl/keyandreasheiglorg                          |
+---------------------------------------------------------------------+



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature























					Reply via email to