> On Mon, Feb 10, 2020 at 5:36 PM Mark Randall <email@example.com> wrote:
>> On 10/02/2020 21:49, Tom Van Looy via internals wrote:
>>> I suggest to deprecated the functions md5_file() and sha1_file(). This
>>> make people think about upgrading to a better alternative.
>> It won't.
>> At best it will make people switch to the hash function. At worst people
>> will not upgrade.
>> If people are using the existing md5 / sha1 algorithms, chances are it's
>> because they're actually wanting to get a hash to compare to something
>> that has already been stored.
>> There's not much point in deprecating the algorithm if we don't
>> eventually plan to remove it, and there is an exactly zero percent
>> chance of it being removed at any point in the next 50 years.
>> Mark Randall
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
> Why? What does deprecating those two functions do to make PHP a better
> language? It doesn't add any new features. It doesn't fix any security
> issues. It doesn't even take away the ability to perform the functionality
> that they provide, since it still exists in the hash_file function.
> If you don't like the function, then don't use it.
I'd be fine with someone just adding a Warning to the documentation that
MD5 and SHA-1 are known broken hashing algorithms when used for
*cryptographic/security* purposes. The algorithms and related functions
are completely fine though for other purposes such as detecting
single-bit changes in file data where something a little more robust
than CRC32 is needed but don't want to waste a lot of storage space.
md5() and sha1() already have basic warnings applied.
I've got great, time saving software that you will find useful.
And once you find my software useful: