Re: [PHP-DEV] Re: [RFC] deprecate md5_file and sha1_file

  108446
February 10, 2020 22:42 chasepeeler@gmail.com (Chase Peeler)
On Mon, Feb 10, 2020 at 5:36 PM Mark Randall <marandall@php.net> wrote:

> On 10/02/2020 21:49, Tom Van Looy via internals wrote: > > I suggest to deprecated the functions md5_file() and sha1_file(). This > will > > make people think about upgrading to a better alternative. > > It won't. > > At best it will make people switch to the hash function. At worst people > will not upgrade. > > If people are using the existing md5 / sha1 algorithms, chances are it's > because they're actually wanting to get a hash to compare to something > that has already been stored. > > There's not much point in deprecating the algorithm if we don't > eventually plan to remove it, and there is an exactly zero percent > chance of it being removed at any point in the next 50 years. > > Mark Randall > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Why? What does deprecating those two functions do to make PHP a better
language? It doesn't add any new features. It doesn't fix any security issues. It doesn't even take away the ability to perform the functionality that they provide, since it still exists in the hash_file function. If you don't like the function, then don't use it. -- Chase Peeler chasepeeler@gmail.com
  108470
February 11, 2020 12:23 thruska@cubiclesoft.com (Thomas Hruska)
On 2/10/2020 3:42 PM, Chase Peeler wrote:
> On Mon, Feb 10, 2020 at 5:36 PM Mark Randall <marandall@php.net> wrote: > >> On 10/02/2020 21:49, Tom Van Looy via internals wrote: >>> I suggest to deprecated the functions md5_file() and sha1_file(). This >> will >>> make people think about upgrading to a better alternative. >> >> It won't. >> >> At best it will make people switch to the hash function. At worst people >> will not upgrade. >> >> If people are using the existing md5 / sha1 algorithms, chances are it's >> because they're actually wanting to get a hash to compare to something >> that has already been stored. >> >> There's not much point in deprecating the algorithm if we don't >> eventually plan to remove it, and there is an exactly zero percent >> chance of it being removed at any point in the next 50 years. >> >> Mark Randall >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> > Why? What does deprecating those two functions do to make PHP a better > language? It doesn't add any new features. It doesn't fix any security > issues. It doesn't even take away the ability to perform the functionality > that they provide, since it still exists in the hash_file function. > > If you don't like the function, then don't use it.
I'd be fine with someone just adding a Warning to the documentation that MD5 and SHA-1 are known broken hashing algorithms when used for *cryptographic/security* purposes. The algorithms and related functions are completely fine though for other purposes such as detecting single-bit changes in file data where something a little more robust than CRC32 is needed but don't want to waste a lot of storage space. md5() and sha1() already have basic warnings applied. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/ And once you find my software useful: http://cubiclesoft.com/donate/