Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4

[Rowan Tommins [IMSoP]]

On 26 July 2024 11:03:53 BST, "Gina P. Banyard" <intern...@gpb.moe> wrote:
>Yet again the PHP community doesn't care about security of its users, current 
>and future, and just prefers the convenience of needing to type less 
>characters and not go back fix some code for better design.

This is a gross misrepresentation of what people are saying. I am in favour of 
the *aim* of educating users to use better hashing functions, but I don't agree 
that the proposed deprecation is the right way to achieve that aim. 

Maybe some people who already know SHA1 is outdated will be prompted to say 
"huh, I hadn't realised we used it there, let's add a backlog task to migrate 
to something else". But just as likely they'll do that during a security audit 
anyway.

The people you really want to reach, those who don't know much about it, will 
do a find-and-replace from "sha1(" to "hash('sha1', " and gain nothing. 

The deprecation *might* make sense alongside introducing some new functions 
that we want people to discover instead, but on its own, I don't think the 
benefits outweigh the costs. 

Regards,
Rowan Tommins
[IMSoP]