Re: [PHP-DEV] Re: [RFC] deprecate md5_file and sha1_file

This is only part of a thread. view whole thread
February 11, 2020 12:23 (Thomas Hruska)
On 2/10/2020 3:42 PM, Chase Peeler wrote:
> On Mon, Feb 10, 2020 at 5:36 PM Mark Randall <> wrote: > >> On 10/02/2020 21:49, Tom Van Looy via internals wrote: >>> I suggest to deprecated the functions md5_file() and sha1_file(). This >> will >>> make people think about upgrading to a better alternative. >> >> It won't. >> >> At best it will make people switch to the hash function. At worst people >> will not upgrade. >> >> If people are using the existing md5 / sha1 algorithms, chances are it's >> because they're actually wanting to get a hash to compare to something >> that has already been stored. >> >> There's not much point in deprecating the algorithm if we don't >> eventually plan to remove it, and there is an exactly zero percent >> chance of it being removed at any point in the next 50 years. >> >> Mark Randall >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: >> > Why? What does deprecating those two functions do to make PHP a better > language? It doesn't add any new features. It doesn't fix any security > issues. It doesn't even take away the ability to perform the functionality > that they provide, since it still exists in the hash_file function. > > If you don't like the function, then don't use it.
I'd be fine with someone just adding a Warning to the documentation that MD5 and SHA-1 are known broken hashing algorithms when used for *cryptographic/security* purposes. The algorithms and related functions are completely fine though for other purposes such as detecting single-bit changes in file data where something a little more robust than CRC32 is needed but don't want to waste a lot of storage space. md5() and sha1() already have basic warnings applied. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. And once you find my software useful: