Re: [PHP-DEV] [RFC] deprecate md5_file and sha1_file

This is only part of a thread. view whole thread
  108442
February 10, 2020 21:52 zardozrocks@gmail.com (j adams)
I disagree. While MD5 and SHA1 might not be suitable for modern
cryptographic operations, these functions might be needed for legacy
situations -- e.g., munging through old data.


On Mon, Feb 10, 2020 at 1:50 PM Tom Van Looy via internals <
internals@lists.php.net> wrote:

> Hi > > While in some environments the use of MD5 and SHA1 are still acceptable for > some use cases like file integrity verification etc. the use of these > algorithms should be discouraged and not be your choice when developing new > applications. > > I suggest to deprecated the functions md5_file() and sha1_file(). This will > make people think about upgrading to a better alternative. If you still > need this functionality you can always switch to the hash_file() function. > > Carrying around these two dedicated functions seems a bit too much for a > modern PHP. What do you think? > > My feeling was that this is a no brainer. Should I open an RFC for this? > > Kind regards, > > Tom Van Looy >
  108443
February 10, 2020 21:56 internals@lists.php.net ("Tom Van Looy via internals")
the hash_file() function still supports md5 and sha1 so people that need it
should then migrate to hash_file('md5', ...) or hash_file('sha1', ...)
instead. That was the idea

Kind regards,

Tom

On Mon, Feb 10, 2020 at 10:52 PM j adams <zardozrocks@gmail.com> wrote:

> I disagree. While MD5 and SHA1 might not be suitable for modern > cryptographic operations, these functions might be needed for legacy > situations -- e.g., munging through old data. > > > On Mon, Feb 10, 2020 at 1:50 PM Tom Van Looy via internals < > internals@lists.php.net> wrote: > >> Hi >> >> While in some environments the use of MD5 and SHA1 are still acceptable >> for >> some use cases like file integrity verification etc. the use of these >> algorithms should be discouraged and not be your choice when developing >> new >> applications. >> >> I suggest to deprecated the functions md5_file() and sha1_file(). This >> will >> make people think about upgrading to a better alternative. If you still >> need this functionality you can always switch to the hash_file() function. >> >> Carrying around these two dedicated functions seems a bit too much for a >> modern PHP. What do you think? >> >> My feeling was that this is a no brainer. Should I open an RFC for this? >> >> Kind regards, >> >> Tom Van Looy >> >
  108450
February 11, 2020 06:00 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

> the hash_file() function still supports md5 and sha1 so people that need it > should then migrate to hash_file('md5', ...) or hash_file('sha1', ...) > instead. That was the idea
This means spending time and effort to cause extra work to people that already have working code with existing PHP and don't need our "help". I don't think we should be doing that. -- Stas Malyshev smalyshev@gmail.com
  108447
February 10, 2020 22:43 derick@php.net (Derick Rethans)
On 10 February 2020 21:52:42 GMT, j adams <zardozrocks@gmail.com> wrote:
>I disagree. While MD5 and SHA1 might not be suitable for modern >cryptographic operations, these functions might be needed for legacy >situations -- e.g., munging through old data. > > >On Mon, Feb 10, 2020 at 1:50 PM Tom Van Looy via internals < >internals@lists.php.net> wrote: > >> Hi >> >> While in some environments the use of MD5 and SHA1 are still >acceptable for >> some use cases like file integrity verification etc. the use of these >> algorithms should be discouraged and not be your choice when >developing new >> applications. >> >> I suggest to deprecated the functions md5_file() and sha1_file(). >This will >> make people think about upgrading to a better alternative. If you >still >> need this functionality you can always switch to the hash_file() >function. >> >> Carrying around these two dedicated functions seems a bit too much >for a >> modern PHP. What do you think? >> >> My feeling was that this is a no brainer. Should I open an RFC for >this? >> >> Kind regards, >> >> Tom Van Looy >>
Deprecation doesn't mean immediate removal. It's a nudge to move to something better. Because this deprecation isn't in the last PHP 7, these functions can't be removed until PHP 9. cheers, Derick