Re: [PHP-DEV] Intention to move mcrypt to PECL
On Thu, 6 Oct 2016, at 11:41 AM, Lester Caine wrote: > It is already an established component in PHP and while it's use has > been discouraged for a long time, simply switching it off will break a > lot of legacy applications. How many applications that are not following standard security guidelines are not following basic security principles? It doesn't matter if it's an established component, a vulnerability is a vulnerability. BC shouldn't matter; especially for those who are not willing to patch their applications to use the latest information we have available to us. You either keep up with changes; or you don't. New majors, and even minors (if we're ignoring semantic versioning) should be able to change something, it should be up to the maintainers of an application to decide whether it's time to upgrade or not, internals shouldn't manage that for you. If you're using Composer, you can lock your dependencies to prevent your application from breaking. If you're up to date with the latest information, you can choose to evolve. Mcrypt, now (I think) belongs in PECL, I will be looking at (a major) code repository over the next few weeks and looking to provide a simple upgrade path. DM -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Thu, Oct 6, 2016 at 2:46 PM, Dan Ackroydwrote: > > > > On 6 Oct 2016, at 13:48, Jakub Zelenka wrote: > > > > Looks like copying says LGPLv2 but the files seems to be under GPLv2. See > > for example > > > > http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/ > lib/mcrypt.h.in?view=markup > > Er, unless i'm missing what you mean that file says "Library General > Public License" aka LGPL. > > Ah. I'm such an idiot. :) Sorry! Ignore me. Should be fine then.
Re: [PHP-DEV] Intention to move mcrypt to PECL
> On 6 Oct 2016, at 13:48, Jakub Zelenkawrote: > > Looks like copying says LGPLv2 but the files seems to be under GPLv2. See > for example > > http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/lib/mcrypt.h.in?view=markup Er, unless i'm missing what you mean that file says "Library General Public License" aka LGPL. cheers Dan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Thu, Oct 6, 2016 at 1:38 PM, Leighwrote: > On 6 October 2016 at 13:35, Ferenc Kovacs wrote: > > > > > > On Thu, Oct 6, 2016 at 12:12 PM, Jakub Zelenka wrote: > >> > >> Hi, > >> > >> On Tue, Oct 4, 2016 at 5:58 PM, Leigh wrote: > >> > >> > Hello list, > >> > > >> > It is my intention to create a new PECL package for ext/mcrypt, so > >> > that it can be removed from master as per the RFC > >> > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > >> > > >> > I do not expect there to be any updates to the extension after it has > >> > been migrated, however we voted to move it there. > >> > > >> > Any objections/comments? If not I'll apply for my PECL account in the > >> > next few days. > >> > > >> > > >> I don't think it can be added to PECL as it breaks its licensing rules > >> (mcrypt is GPL licensed): > >> > >> > >>- Note: wrappers for GPL (all versions) or LGPLv3 libraries will not > be > >>accepted. Wrappers for libraries licensed under LGPLv2 are however > >> allowed > >>while being discouraged. > >> > >> See https://pecl.php.net/account-request.php > >> > >> Cheers > >> > >> Jakub > > > > > > AFAIK mcrypt is gpl, libmcrypt (wrapped by our mcrypt ext) is lgpl so it > > would be fine for pecl. > > > > -- > > Ferenc Kovács > > @Tyr43l - http://tyrael.hu > > http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/ > COPYING.LIB?revision=1.1.1.1=markup > > LGPLv2 > Looks like copying says LGPLv2 but the files seems to be under GPLv2. See for example http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/lib/mcrypt.h.in?view=markup That's why I thought it's GPL. Not sure what's more important though... Cheers Jakub
Re: [PHP-DEV] Intention to move mcrypt to PECL
On 6 October 2016 at 13:35, Ferenc Kovacswrote: > > > On Thu, Oct 6, 2016 at 12:12 PM, Jakub Zelenka wrote: >> >> Hi, >> >> On Tue, Oct 4, 2016 at 5:58 PM, Leigh wrote: >> >> > Hello list, >> > >> > It is my intention to create a new PECL package for ext/mcrypt, so >> > that it can be removed from master as per the RFC >> > (https://wiki.php.net/rfc/mcrypt-viking-funeral) >> > >> > I do not expect there to be any updates to the extension after it has >> > been migrated, however we voted to move it there. >> > >> > Any objections/comments? If not I'll apply for my PECL account in the >> > next few days. >> > >> > >> I don't think it can be added to PECL as it breaks its licensing rules >> (mcrypt is GPL licensed): >> >> >>- Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be >>accepted. Wrappers for libraries licensed under LGPLv2 are however >> allowed >>while being discouraged. >> >> See https://pecl.php.net/account-request.php >> >> Cheers >> >> Jakub > > > AFAIK mcrypt is gpl, libmcrypt (wrapped by our mcrypt ext) is lgpl so it > would be fine for pecl. > > -- > Ferenc Kovács > @Tyr43l - http://tyrael.hu http://mcrypt.cvs.sourceforge.net/viewvc/mcrypt/libmcrypt/COPYING.LIB?revision=1.1.1.1=markup LGPLv2 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Thu, Oct 6, 2016 at 12:12 PM, Jakub Zelenkawrote: > Hi, > > On Tue, Oct 4, 2016 at 5:58 PM, Leigh wrote: > > > Hello list, > > > > It is my intention to create a new PECL package for ext/mcrypt, so > > that it can be removed from master as per the RFC > > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > > > > I do not expect there to be any updates to the extension after it has > > been migrated, however we voted to move it there. > > > > Any objections/comments? If not I'll apply for my PECL account in the > > next few days. > > > > > I don't think it can be added to PECL as it breaks its licensing rules > (mcrypt is GPL licensed): > > >- Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be >accepted. Wrappers for libraries licensed under LGPLv2 are however > allowed >while being discouraged. > > See https://pecl.php.net/account-request.php > > Cheers > > Jakub > AFAIK mcrypt is gpl, libmcrypt (wrapped by our mcrypt ext) is lgpl so it would be fine for pecl. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
Re: [PHP-DEV] Intention to move mcrypt to PECL
On 6 October 2016 at 11:12, Jakub Zelenkawrote: > Hi, > > On Tue, Oct 4, 2016 at 5:58 PM, Leigh wrote: >> >> Hello list, >> >> It is my intention to create a new PECL package for ext/mcrypt, so >> that it can be removed from master as per the RFC >> (https://wiki.php.net/rfc/mcrypt-viking-funeral) >> >> I do not expect there to be any updates to the extension after it has >> been migrated, however we voted to move it there. >> >> Any objections/comments? If not I'll apply for my PECL account in the >> next few days. >> > > I don't think it can be added to PECL as it breaks its licensing rules > (mcrypt is GPL licensed): > > Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be > accepted. Wrappers for libraries licensed under LGPLv2 are however allowed > while being discouraged. > > See https://pecl.php.net/account-request.php > > Cheers > > Jakub > Interesting, thanks for that. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Intention to move mcrypt to PECL
On 06/10/16 11:12, Jakub Zelenka wrote: > I don't think it can be added to PECL as it breaks its licensing rules > (mcrypt is GPL licensed): It is already an established component in PHP and while it's use has been discouraged for a long time, simply switching it off will break a lot of legacy applications. It is not simply a matter of 'changing to a more modern alternative'. If an application has data stored by mcrypt, and it was a popular method of encoding passwords, then any migration path is going to need to provide a method of re-encoding that data while mcrypt is still available. There needs to be a proper migration guide to identify the secondary effects of pulling it although as has been indicated, many distributions will simply build it from PECL and carry on providing it, so the move only really impacts people who build their own installations ... and even there it's a simple exercise to restore anything relegated to the second level of code storage. -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Intention to move mcrypt to PECL
Hi, On Tue, Oct 4, 2016 at 5:58 PM, Leighwrote: > Hello list, > > It is my intention to create a new PECL package for ext/mcrypt, so > that it can be removed from master as per the RFC > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > > I do not expect there to be any updates to the extension after it has > been migrated, however we voted to move it there. > > Any objections/comments? If not I'll apply for my PECL account in the > next few days. > > I don't think it can be added to PECL as it breaks its licensing rules (mcrypt is GPL licensed): - Note: wrappers for GPL (all versions) or LGPLv3 libraries will not be accepted. Wrappers for libraries licensed under LGPLv2 are however allowed while being discouraged. See https://pecl.php.net/account-request.php Cheers Jakub
Re: [PHP-DEV] Intention to move mcrypt to PECL
Le 06/10/2016 à 10:45, Pierre Joye a écrit : > On Oct 6, 2016 3:41 PM, "Nikita Popov"wrote: >> >> On Thu, Oct 6, 2016 at 5:22 AM, Davey Shafik wrote: >>> >>> On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye wrote: >>> hi Leigh, On Tue, Oct 4, 2016 at 11:58 PM, Leigh wrote: > Hello list, > > It is my intention to create a new PECL package for ext/mcrypt, so > that it can be removed from master as per the RFC > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > > I do not expect there to be any updates to the extension after it has > been migrated, however we voted to move it there. > > Any objections/comments? If not I'll apply for my PECL account in the > next few days. I am not sure to follow. We rejected to move it out of the core for 7.0. This RFC is about deprecation for 7.1. As much as I want to kill this beast as soon as possible, I do not think we can kill it in 7.x but 8.x. It is also why I was pushing so hard to kill it in 7.0, knowing that this will be tried again and sadly for 7.x. >>> >>> >>> From the RFC: >>> In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out > of >>> core and into PECL >>> >>> and >>> Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt >>> function is used and to remove the extension from core in 7.1+1. >>> >>> So, per the RFC, moving to PECL in 7.2 is correct. >>> >>> - Davey >> >> >> Furthermore the release process RFC *explicitly* allows moving extensions > to PECL in minor versions. > > I am *not* (I can emphasize text too ;) it is not allowed. > > What I am saying is why we refused to do it in 7.0 and then the same go all > in for 7.2. That makes no sense to me and it is something we should figure > out for 8 (exts or behaviors). > Checking the https://wiki.php.net/rfc/releaseprocess x.y.z to x.y+1.z (so 7.2) * Extensions support can be ended (moved to pecl) This will not be a major issue, as most people will be able to find this extension in the various binary distribution. This is important to give information about this extension being unsupported, as relying on a dead project. Remi. signature.asc Description: OpenPGP digital signature
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Oct 6, 2016 3:41 PM, "Nikita Popov"wrote: > > On Thu, Oct 6, 2016 at 5:22 AM, Davey Shafik wrote: >> >> On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye wrote: >> >> > hi Leigh, >> > >> > On Tue, Oct 4, 2016 at 11:58 PM, Leigh wrote: >> > > Hello list, >> > > >> > > It is my intention to create a new PECL package for ext/mcrypt, so >> > > that it can be removed from master as per the RFC >> > > (https://wiki.php.net/rfc/mcrypt-viking-funeral) >> > > >> > > I do not expect there to be any updates to the extension after it has >> > > been migrated, however we voted to move it there. >> > > >> > > Any objections/comments? If not I'll apply for my PECL account in the >> > > next few days. >> > >> > I am not sure to follow. >> > >> > We rejected to move it out of the core for 7.0. This RFC is about >> > deprecation for 7.1. >> > >> > As much as I want to kill this beast as soon as possible, I do not >> > think we can kill it in 7.x but 8.x. It is also why I was pushing so >> > hard to kill it in 7.0, knowing that this will be tried again and >> > sadly for 7.x. >> >> >> From the RFC: >> >> > In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of >> core and into PECL >> >> and >> >> > Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt >> function is used and to remove the extension from core in 7.1+1. >> >> So, per the RFC, moving to PECL in 7.2 is correct. >> >> - Davey > > > Furthermore the release process RFC *explicitly* allows moving extensions to PECL in minor versions. I am *not* (I can emphasize text too ;) it is not allowed. What I am saying is why we refused to do it in 7.0 and then the same go all in for 7.2. That makes no sense to me and it is something we should figure out for 8 (exts or behaviors).
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Thu, Oct 6, 2016 at 5:22 AM, Davey Shafikwrote: > On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye wrote: > > > hi Leigh, > > > > On Tue, Oct 4, 2016 at 11:58 PM, Leigh wrote: > > > Hello list, > > > > > > It is my intention to create a new PECL package for ext/mcrypt, so > > > that it can be removed from master as per the RFC > > > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > > > > > > I do not expect there to be any updates to the extension after it has > > > been migrated, however we voted to move it there. > > > > > > Any objections/comments? If not I'll apply for my PECL account in the > > > next few days. > > > > I am not sure to follow. > > > > We rejected to move it out of the core for 7.0. This RFC is about > > deprecation for 7.1. > > > > As much as I want to kill this beast as soon as possible, I do not > > think we can kill it in 7.x but 8.x. It is also why I was pushing so > > hard to kill it in 7.0, knowing that this will be tried again and > > sadly for 7.x. > > > From the RFC: > > > In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of > core and into PECL > > and > > > Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt > function is used and to remove the extension from core in 7.1+1. > > So, per the RFC, moving to PECL in 7.2 is correct. > > - Davey > Furthermore the release process RFC *explicitly* allows moving extensions to PECL in minor versions. Nikita
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Thu, Oct 6, 2016 at 10:22 AM, Davey Shafikwrote: > On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joye wrote: >> >> hi Leigh, >> >> On Tue, Oct 4, 2016 at 11:58 PM, Leigh wrote: >> > Hello list, >> > >> > It is my intention to create a new PECL package for ext/mcrypt, so >> > that it can be removed from master as per the RFC >> > (https://wiki.php.net/rfc/mcrypt-viking-funeral) >> > >> > I do not expect there to be any updates to the extension after it has >> > been migrated, however we voted to move it there. >> > >> > Any objections/comments? If not I'll apply for my PECL account in the >> > next few days. >> >> I am not sure to follow. >> >> We rejected to move it out of the core for 7.0. This RFC is about >> deprecation for 7.1. >> >> As much as I want to kill this beast as soon as possible, I do not >> think we can kill it in 7.x but 8.x. It is also why I was pushing so >> hard to kill it in 7.0, knowing that this will be tried again and >> sadly for 7.x. > > > From the RFC: > >> In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of >> core and into PECL > > and > >> Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt >> function is used and to remove the extension from core in 7.1+1. > > So, per the RFC, moving to PECL in 7.2 is correct. "In PHP 7.1+1 (be it 7.2 or 8.0)," I took it as 8, for the reason explained earlier. -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Intention to move mcrypt to PECL
On Wed, Oct 5, 2016 at 8:11 PM, Pierre Joyewrote: > hi Leigh, > > On Tue, Oct 4, 2016 at 11:58 PM, Leigh wrote: > > Hello list, > > > > It is my intention to create a new PECL package for ext/mcrypt, so > > that it can be removed from master as per the RFC > > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > > > > I do not expect there to be any updates to the extension after it has > > been migrated, however we voted to move it there. > > > > Any objections/comments? If not I'll apply for my PECL account in the > > next few days. > > I am not sure to follow. > > We rejected to move it out of the core for 7.0. This RFC is about > deprecation for 7.1. > > As much as I want to kill this beast as soon as possible, I do not > think we can kill it in 7.x but 8.x. It is also why I was pushing so > hard to kill it in 7.0, knowing that this will be tried again and > sadly for 7.x. >From the RFC: > In PHP 7.1+1 (be it 7.2 or 8.0), the crypt extension will be moved out of core and into PECL and > Vote “Yes” to raise an E_DEPRECATED notice in PHP 7.1 when any crypt function is used and to remove the extension from core in 7.1+1. So, per the RFC, moving to PECL in 7.2 is correct. - Davey
Re: [PHP-DEV] Intention to move mcrypt to PECL
hi Leigh, On Tue, Oct 4, 2016 at 11:58 PM, Leighwrote: > Hello list, > > It is my intention to create a new PECL package for ext/mcrypt, so > that it can be removed from master as per the RFC > (https://wiki.php.net/rfc/mcrypt-viking-funeral) > > I do not expect there to be any updates to the extension after it has > been migrated, however we voted to move it there. > > Any objections/comments? If not I'll apply for my PECL account in the > next few days. I am not sure to follow. We rejected to move it out of the core for 7.0. This RFC is about deprecation for 7.1. As much as I want to kill this beast as soon as possible, I do not think we can kill it in 7.x but 8.x. It is also why I was pushing so hard to kill it in 7.0, knowing that this will be tried again and sadly for 7.x. Cheers, Pierre -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php