On Mon, Jul 22, 2024 at 9:06 AM Derick Rethans <der...@php.net> wrote:
> - Deprecate md5(), sha1(), md5_file(), and sha1_file() (just says "large > impact") About 1.2 million. https://github.com/search?q=%28md5+OR+md5_file+OR+sha1+OR+sha1_file%29+language%3APHP+&type=code The proposed deprecation of these functions in PHP due to their cryptographic insecurities seems to overlook their valid non-cryptographic applications. If we consider the context, the scope of cryptographic usage is already quite specific. We're talking about end users who are rolling their own security implementations and are unaware of the security risks but somehow know how to use these functions without reading the documentation and warnings. The number of people who fall into this specific category is quite small. Yet, this change is being proposed for their sake. It's important to note that these same users could/will easily make other security mistakes regardless of this deprecation. On the other hand, who will be impacted by these deprecations? Potentially everyone, as these are included in many projects and in many vendor packages. It's busy work for the people who aren't affected. Sure, eventually, it will all be sorted out as CI warnings slowly subside because of this. Reasons such as GIT and most cloud storages using these functions should be enough to spare them. Example: https://rclone.org/overview/ The point is that there are several reasons in 2024 to use md5 and sha1. Granted hashing passwords isn't one, but we're past that as a community already. And for the few that aren't, I'd argue there is no saving. Thanks, Peter
