On Mon, Jul 3, 2017 at 12:49 PM, Anatol Belski <weltl...@outlook.de> wrote: > About how to proceed - I'd say the issue is clear and either way > should be fixed. The RFC chooses the explicit strength approach. > What I'm a bit concerned about is, that there's no implementation > by this time, neither for 7.2 nor for lower. Given there are indeed > just last moments before the feature freeze, for 7.2 it depends on RMs. > I've told Niklas on Twitter, but I'll repeat here for the record. I fully expect a rush of last-minute RFCs "urgently" needing an extension of the feature freeze deadline. These come every new release as people are shocked to discover that timetables exist.
IMO any RFC which does not have a merged implementation by July 20th* should assume it's not making it into 7.2, however RFCs will be taken on a case-by-case basis while in the beta period. As to this one: It certainly seems important that we don't let users blindly ignore terrible certificates. That's a false sense of security, and is arguably worse than no security at all. I expect to allow this RFC as far out as beta2 ASSUMING the implementation is sensible enough to get a passing vote from internals. If it moves things along smoother/quicker, I would suggest to constrain this discussion as though it were ONLY targeting 7.2, and we can have a separate discussion about how/when it should be back-ported to 7.1 and 7.0 since this change does represent a (theoretical**) BC break. -Sara * Yes, this includes ext/sodium, and I'm less inclined to extend lee-way to that for a number of reasons. ** Legitimately signed sites should not actually be a problem, AIUI. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php