Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-21 Thread Daniel Morris 
On Thu, 6 Oct 2016, at 11:41 AM, Lester Caine wrote:
> It is already an established component in PHP and while it's use has
> been discouraged for a long time, simply switching it off will break a
> lot of legacy applications.

How many applications that are not following standard security
guidelines are not following basic security principles? It doesn't
matter if it's an established component, a vulnerability is a
vulnerability. BC shouldn't matter; especially for those who are not
willing to patch their applications to use the latest information we
have available to us.

You either keep up with changes; or you don't. New majors, and even
minors (if we're ignoring semantic versioning) should be able to change
something, it should be up to the maintainers of an application to
decide whether it's time to upgrade or not, internals shouldn't manage
that for you.

If you're using Composer, you can lock your dependencies to prevent your
application from breaking. If you're up to date with the latest
information, you can choose to evolve.

Mcrypt, now (I think) belongs in PECL, I will be looking at (a major)
code repository over the next few weeks and looking to provide a simple
upgrade path.

DM

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Jakub Zelenka 
On Thu, Oct 6, 2016 at 2:46 PM, Dan Ackroyd  wrote:

>
>
> > On 6 Oct 2016, at 13:48, Jakub Zelenka  wrote:
> >
> > Looks like copying says LGPLv2 but the files seems to be under GPLv2. See
> > for example
> >
> > http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/
> lib/mcrypt.h.in?view=markup
>
> Er, unless i'm missing what you mean that file says "Library General
> Public License" aka LGPL.
>
>
Ah. I'm such an idiot. :) Sorry! Ignore me. Should be fine then.

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Dan Ackroyd 


> On 6 Oct 2016, at 13:48, Jakub Zelenka  wrote:
> 
> Looks like copying says LGPLv2 but the files seems to be under GPLv2. See
> for example
> 
> http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/lib/mcrypt.h.in?view=markup

Er, unless i'm missing what you mean that file says "Library General Public 
License" aka LGPL.


cheers
Dan
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Jakub Zelenka 
On Thu, Oct 6, 2016 at 1:38 PM, Leigh  wrote:

> On 6 October 2016 at 13:35, Ferenc Kovacs  wrote:
> >
> >
> > On Thu, Oct 6, 2016 at 12:12 PM, Jakub Zelenka  wrote:
> >>
> >> Hi,
> >>
> >> On Tue, Oct 4, 2016 at 5:58 PM, Leigh  wrote:
> >>
> >> > Hello list,
> >> >
> >> > It is my intention to create a new PECL package for ext/mcrypt, so
> >> > that it can be removed from master as per the RFC
> >> > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
> >> >
> >> > I do not expect there to be any updates to the extension after it has
> >> > been migrated, however we voted to move it there.
> >> >
> >> > Any objections/comments? If not I'll apply for my PECL account in the
> >> > next few days.
> >> >
> >> >
> >> I don't think it can be added to PECL as it breaks its licensing rules
> >> (mcrypt is GPL licensed):
> >>
> >>
> >>- Note: wrappers for GPL (all versions) or LGPLv3 libraries will not
> be
> >>accepted. Wrappers for libraries licensed under LGPLv2 are however
> >> allowed
> >>while being discouraged.
> >>
> >> See https://pecl.php.net/account-request.php
> >>
> >> Cheers
> >>
> >> Jakub
> >
> >
> > AFAIK mcrypt is gpl, libmcrypt (wrapped by our mcrypt ext) is lgpl so it
> > would be fine for pecl.
> >
> > --
> > Ferenc Kovács
> > @Tyr43l - http://tyrael.hu
>
> http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/
> COPYING.LIB?revision=1.1.1.1=markup
>
> LGPLv2
>

Looks like copying says LGPLv2 but the files seems to be under GPLv2. See
for example

http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/lib/mcrypt.h.in?view=markup

That's why I thought it's GPL. Not sure what's more important though...

Cheers

Jakub

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Leigh 
On 6 October 2016 at 13:35, Ferenc Kovacs  wrote:
>
>
> On Thu, Oct 6, 2016 at 12:12 PM, Jakub Zelenka  wrote:
>>
>> Hi,
>>
>> On Tue, Oct 4, 2016 at 5:58 PM, Leigh  wrote:
>>
>> > Hello list,
>> >
>> > It is my intention to create a new PECL package for ext/mcrypt, so
>> > that it can be removed from master as per the RFC
>> > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>> >
>> > I do not expect there to be any updates to the extension after it has
>> > been migrated, however we voted to move it there.
>> >
>> > Any objections/comments? If not I'll apply for my PECL account in the
>> > next few days.
>> >
>> >
>> I don't think it can be added to PECL as it breaks its licensing rules
>> (mcrypt is GPL licensed):
>>
>>
>>- Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be
>>accepted. Wrappers for libraries licensed under LGPLv2 are however
>> allowed
>>while being discouraged.
>>
>> See https://pecl.php.net/account-request.php
>>
>> Cheers
>>
>> Jakub
>
>
> AFAIK mcrypt is gpl, libmcrypt (wrapped by our mcrypt ext) is lgpl so it
> would be fine for pecl.
>
> --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu

http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/COPYING.LIB?revision=1.1.1.1=markup

LGPLv2

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Ferenc Kovacs 
On Thu, Oct 6, 2016 at 12:12 PM, Jakub Zelenka  wrote:

> Hi,
>
> On Tue, Oct 4, 2016 at 5:58 PM, Leigh  wrote:
>
> > Hello list,
> >
> > It is my intention to create a new PECL package for ext/mcrypt, so
> > that it can be removed from master as per the RFC
> > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
> >
> > I do not expect there to be any updates to the extension after it has
> > been migrated, however we voted to move it there.
> >
> > Any objections/comments? If not I'll apply for my PECL account in the
> > next few days.
> >
> >
> I don't think it can be added to PECL as it breaks its licensing rules
> (mcrypt is GPL licensed):
>
>
>- Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be
>accepted. Wrappers for libraries licensed under LGPLv2 are however
> allowed
>while being discouraged.
>
> See https://pecl.php.net/account-request.php
>
> Cheers
>
> Jakub
>

AFAIK mcrypt is gpl, libmcrypt (wrapped by our mcrypt ext) is lgpl so it
would be fine for pecl.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Leigh 
On 6 October 2016 at 11:12, Jakub Zelenka  wrote:
> Hi,
>
> On Tue, Oct 4, 2016 at 5:58 PM, Leigh  wrote:
>>
>> Hello list,
>>
>> It is my intention to create a new PECL package for ext/mcrypt, so
>> that it can be removed from master as per the RFC
>> (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>>
>> I do not expect there to be any updates to the extension after it has
>> been migrated, however we voted to move it there.
>>
>> Any objections/comments? If not I'll apply for my PECL account in the
>> next few days.
>>
>
> I don't think it can be added to PECL as it breaks its licensing rules
> (mcrypt is GPL licensed):
>
> Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be
> accepted. Wrappers for libraries licensed under LGPLv2 are however allowed
> while being discouraged.
>
> See https://pecl.php.net/account-request.php
>
> Cheers
>
> Jakub
>

Interesting, thanks for that.

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Lester Caine 
On 06/10/16 11:12, Jakub Zelenka wrote:
> I don't think it can be added to PECL as it breaks its licensing rules
> (mcrypt is GPL licensed):

It is already an established component in PHP and while it's use has
been discouraged for a long time, simply switching it off will break a
lot of legacy applications. It is not simply a matter of 'changing to a
more modern alternative'. If an application has data stored by mcrypt,
and it was a popular method of encoding passwords, then any migration
path is going to need to provide a method of re-encoding that data while
mcrypt is still available. There needs to be a proper migration guide to
identify the secondary effects of pulling it although as has been
indicated, many distributions will simply build it from PECL and carry
on providing it, so the move only really impacts people who build their
own installations ... and even there it's a simple exercise to restore
anything relegated to the second level of code storage.

-- 
Lester Caine - G8HFL
-
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Jakub Zelenka 
Hi,

On Tue, Oct 4, 2016 at 5:58 PM, Leigh  wrote:

> Hello list,
>
> It is my intention to create a new PECL package for ext/mcrypt, so
> that it can be removed from master as per the RFC
> (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>
> I do not expect there to be any updates to the extension after it has
> been migrated, however we voted to move it there.
>
> Any objections/comments? If not I'll apply for my PECL account in the
> next few days.
>
>
I don't think it can be added to PECL as it breaks its licensing rules
(mcrypt is GPL licensed):


   - Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be
   accepted. Wrappers for libraries licensed under LGPLv2 are however allowed
   while being discouraged.

See https://pecl.php.net/account-request.php

Cheers

Jakub

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Remi Collet 
Le 06/10/2016 à 10:45, Pierre Joye a écrit :
> On Oct 6, 2016 3:41 PM, "Nikita Popov"  wrote:
>>
>> On Thu, Oct 6, 2016 at 5:22 AM, Davey Shafik  wrote:
>>>
>>> On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye  wrote:
>>>
 hi Leigh,

 On Tue, Oct 4, 2016 at 11:58 PM, Leigh  wrote:
> Hello list,
>
> It is my intention to create a new PECL package for ext/mcrypt, so
> that it can be removed from master as per the RFC
> (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>
> I do not expect there to be any updates to the extension after it has
> been migrated, however we voted to move it there.
>
> Any objections/comments? If not I'll apply for my PECL account in the
> next few days.

 I am not sure to follow.

 We rejected to move it out of the core for 7.0. This RFC is about
 deprecation for 7.1.

 As much as I want to kill this beast as soon as possible, I do not
 think we can kill it in 7.x but 8.x. It is also why I was pushing so
 hard to kill it in 7.0, knowing that this will be tried again and
 sadly for 7.x.
>>>
>>>
>>> From the RFC:
>>>
 In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out
> of
>>> core and into PECL
>>>
>>> and
>>>
 Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt
>>> function is used and to remove the extension from core in 7.1+1.
>>>
>>> So, per the RFC, moving to PECL in 7.2 is correct.
>>>
>>> - Davey
>>
>>
>> Furthermore the release process RFC *explicitly* allows moving extensions
> to PECL in minor versions.
> 
> I am *not* (I can emphasize text too ;) it is not allowed.
> 
> What I am saying is why we refused to do it in 7.0 and then the same go all
> in for 7.2. That makes no sense to me and it is something we should figure
> out for 8 (exts or behaviors).
> 

Checking the https://wiki.php.net/rfc/releaseprocess

   x.y.z to x.y+1.z  (so 7.2)
   * Extensions support can be ended (moved to pecl)

This will not be a major issue, as most people will be able to find this
extension in the various binary distribution.

This is important to give information about this extension being
unsupported, as relying on a dead project.


Remi.




signature.asc
Description: OpenPGP digital signature

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Pierre Joye 
On Oct 6, 2016 3:41 PM, "Nikita Popov"  wrote:
>
> On Thu, Oct 6, 2016 at 5:22 AM, Davey Shafik  wrote:
>>
>> On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye  wrote:
>>
>> > hi Leigh,
>> >
>> > On Tue, Oct 4, 2016 at 11:58 PM, Leigh  wrote:
>> > > Hello list,
>> > >
>> > > It is my intention to create a new PECL package for ext/mcrypt, so
>> > > that it can be removed from master as per the RFC
>> > > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>> > >
>> > > I do not expect there to be any updates to the extension after it has
>> > > been migrated, however we voted to move it there.
>> > >
>> > > Any objections/comments? If not I'll apply for my PECL account in the
>> > > next few days.
>> >
>> > I am not sure to follow.
>> >
>> > We rejected to move it out of the core for 7.0. This RFC is about
>> > deprecation for 7.1.
>> >
>> > As much as I want to kill this beast as soon as possible, I do not
>> > think we can kill it in 7.x but 8.x. It is also why I was pushing so
>> > hard to kill it in 7.0, knowing that this will be tried again and
>> > sadly for 7.x.
>>
>>
>> From the RFC:
>>
>> > In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out
of
>> core and into PECL
>>
>> and
>>
>> > Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt
>> function is used and to remove the extension from core in 7.1+1.
>>
>> So, per the RFC, moving to PECL in 7.2 is correct.
>>
>> - Davey
>
>
> Furthermore the release process RFC *explicitly* allows moving extensions
to PECL in minor versions.

I am *not* (I can emphasize text too ;) it is not allowed.

What I am saying is why we refused to do it in 7.0 and then the same go all
in for 7.2. That makes no sense to me and it is something we should figure
out for 8 (exts or behaviors).

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-06 Thread Nikita Popov 
On Thu, Oct 6, 2016 at 5:22 AM, Davey Shafik  wrote:

> On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye  wrote:
>
> > hi Leigh,
> >
> > On Tue, Oct 4, 2016 at 11:58 PM, Leigh  wrote:
> > > Hello list,
> > >
> > > It is my intention to create a new PECL package for ext/mcrypt, so
> > > that it can be removed from master as per the RFC
> > > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
> > >
> > > I do not expect there to be any updates to the extension after it has
> > > been migrated, however we voted to move it there.
> > >
> > > Any objections/comments? If not I'll apply for my PECL account in the
> > > next few days.
> >
> > I am not sure to follow.
> >
> > We rejected to move it out of the core for 7.0. This RFC is about
> > deprecation for 7.1.
> >
> > As much as I want to kill this beast as soon as possible, I do not
> > think we can kill it in 7.x but 8.x. It is also why I was pushing so
> > hard to kill it in 7.0, knowing that this will be tried again and
> > sadly for 7.x.
>
>
> From the RFC:
>
> > In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of
> core and into PECL
>
> and
>
> > Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt
> function is used and to remove the extension from core in 7.1+1.
>
> So, per the RFC, moving to PECL in 7.2 is correct.
>
> - Davey
>

Furthermore the release process RFC *explicitly* allows moving extensions
to PECL in minor versions.

Nikita

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-05 Thread Pierre Joye 
On Thu, Oct 6, 2016 at 10:22 AM, Davey Shafik  wrote:
> On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye  wrote:
>>
>> hi Leigh,
>>
>> On Tue, Oct 4, 2016 at 11:58 PM, Leigh  wrote:
>> > Hello list,
>> >
>> > It is my intention to create a new PECL package for ext/mcrypt, so
>> > that it can be removed from master as per the RFC
>> > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>> >
>> > I do not expect there to be any updates to the extension after it has
>> > been migrated, however we voted to move it there.
>> >
>> > Any objections/comments? If not I'll apply for my PECL account in the
>> > next few days.
>>
>> I am not sure to follow.
>>
>> We rejected to move it out of the core for 7.0. This RFC is about
>> deprecation for 7.1.
>>
>> As much as I want to kill this beast as soon as possible, I do not
>> think we can kill it in 7.x but 8.x. It is also why I was pushing so
>> hard to kill it in 7.0, knowing that this will be tried again and
>> sadly for 7.x.
>
>
> From the RFC:
>
>> In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of
>> core and into PECL
>
> and
>
>> Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt
>> function is used and to remove the extension from core in 7.1+1.
>
> So, per the RFC, moving to PECL in 7.2 is correct.

"In PHP 7.1+1 (be it 7.2 or 8.0),"

I took it as 8, for the reason explained earlier.


-- 
Pierre

@pierrejoye | http://www.libgd.org

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-05 Thread Davey Shafik 
On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye  wrote:

> hi Leigh,
>
> On Tue, Oct 4, 2016 at 11:58 PM, Leigh  wrote:
> > Hello list,
> >
> > It is my intention to create a new PECL package for ext/mcrypt, so
> > that it can be removed from master as per the RFC
> > (https://wiki.php.net/rfc/mcrypt-viking-funeral)
> >
> > I do not expect there to be any updates to the extension after it has
> > been migrated, however we voted to move it there.
> >
> > Any objections/comments? If not I'll apply for my PECL account in the
> > next few days.
>
> I am not sure to follow.
>
> We rejected to move it out of the core for 7.0. This RFC is about
> deprecation for 7.1.
>
> As much as I want to kill this beast as soon as possible, I do not
> think we can kill it in 7.x but 8.x. It is also why I was pushing so
> hard to kill it in 7.0, knowing that this will be tried again and
> sadly for 7.x.


>From the RFC:

> In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of
core and into PECL

and

> Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt
function is used and to remove the extension from core in 7.1+1.

So, per the RFC, moving to PECL in 7.2 is correct.

- Davey

Re: [PHP-DEV] Intention to move mcrypt to PECL

2016-10-05 Thread Pierre Joye 
hi Leigh,

On Tue, Oct 4, 2016 at 11:58 PM, Leigh  wrote:
> Hello list,
>
> It is my intention to create a new PECL package for ext/mcrypt, so
> that it can be removed from master as per the RFC
> (https://wiki.php.net/rfc/mcrypt-viking-funeral)
>
> I do not expect there to be any updates to the extension after it has
> been migrated, however we voted to move it there.
>
> Any objections/comments? If not I'll apply for my PECL account in the
> next few days.

I am not sure to follow.

We rejected to move it out of the core for 7.0. This RFC is about
deprecation for 7.1.

As much as I want to kill this beast as soon as possible, I do not
think we can kill it in 7.x but 8.x. It is also why I was pushing so
hard to kill it in 7.0, knowing that this will be tried again and
sadly for 7.x.

Cheers,
Pierre

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php