Re: [PHP-DEV] [RFC] Deprecate Backtick Operator (V2)

  107450
October 9, 2019 08:11 nikita.ppv@gmail.com (Nikita Popov)
On Fri, Oct 4, 2019 at 5:45 PM Mark Randall <marandall@php.net> wrote:

> Hi Internals, > > I put forward the following RFC "Deprecate Backtick Operator (V2)" for > discussion. > > https://wiki.php.net/rfc/deprecate-backtickTrying to drag every single > discussion to the meta level is exactly what is causing these unnecessary, > time wasting discussions. This is a small proposal with a limited number of > arguments for and against, and it's unfortunate that your participation in > the discussion has once again -operator-v2 > <https://wiki.php.net/rfc/deprecate-backtick-operator-v2> > > I believe it is at least worth a discussion as to the pros and cons of > deprecating this functionality, especially in light of the existence of > better described and more well-known functions exhibiting identical > behaviour. > > This RFC only covers the issuing a deprecation notice, and its complete > removal would be contained within a separate RFC. >
My 2c on this proposal: I think the primary motivation for me here would be the security aspect... On one hand, the existence of the backtick operator in PHP borders on criminal negligence, because it exposes the **single most dangerous** operation in the entire language in a way that looks innocuous, is easy to confuse with a string literal and that the majority of PHP programmers are not aware of. This looks like a great way to slip a nice RCE vulnerability past code review ;) On the other hand, I have seen no evidence of backticks actually causing security issues in practice. I guess it doesn't because it's not a feature you'll end up using accidentally, and it does not seem like attempts at inserting backdoors into open-source projects by 3rd party contributors are common. Is anyone aware of specific security incidents that can be attributed to the backtick operator? Meta: Wow, do we really need to drag every single discussion that contains the word "deprecation" up to the meta level? This is a really simple proposal, with a very limited set of arguments for and against. I hope we can consider the proposal on its merits (or non-merits) rather than turning it into some kind of proxy war. Yes, "it breaks backwards compatibility for questionable benefit" is an argument against this proposal, it is even a *very good* argument against it, but it's also no mandate to shut down the discussion entirely. Nikita
  107462
October 10, 2019 03:35 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

> it into some kind of proxy war. Yes, "it breaks backwards compatibility for > questionable benefit" is an argument against this proposal, it is even a > *very good* argument against it, but it's also no mandate to shut down the > discussion entirely.
Well, anyone is free to continue the discussion forever and ever (there's no real way of "shutting down" it), but if there a *very good* argument against it, then the point of continuing would be.... ? -- Stas Malyshev smalyshev@gmail.com
  107470
October 10, 2019 16:53 oludonsexy@gmail.com (Olumide Samson)
On Thu, Oct 10, 2019, 4:35 AM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi! > > > it into some kind of proxy war. Yes, "it breaks backwards compatibility > for > > questionable benefit" is an argument against this proposal, it is even a > > *very good* argument against it, but it's also no mandate to shut down > the > > discussion entirely. > > Well, anyone is free to continue the discussion forever and ever > (there's no real way of "shutting down" it), but if there a *very good* > argument against it, then the point of continuing would be.... ? > > -- > Stas Malyshev > smalyshev@gmail.com > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.ph > <http://www.php.net/unsub.php>
For as long as I can recall, there would always be an argument against and for a debate. An argument against doesn't stop the RFC from going on, coz if it does there won't be anything to vote on since the RFC started to become a thing. Even unanimous votes still have argument against it that didn't get to show up in the vote, either because those arguing against it isn't voting or something changed along the way. Argument is a good way to life.
>