Hi Marco
On 2/21/22 10:15, Marco Pivetta wrote:
If it's not going to be removed, what's the point of annoying people
with deprecation warnings (that they would patch out/silence anyway)?
Probably to be removed in `9.0` or `10.0`? Yes, it should be removed at
some point.
In contrast to other deprecations (e.g. the utf8_encode/decode currently
discussed), deprecating and ultimately removing crypt() results in an
actual loss of functionality.
Even if we leave out that home-grown nested BCrypt hashing out of the
picture, crypt() allows one to interoperate with non-PHP-software that
does not support BCrypt, but supports the SHA-X variants. I already
mentioned Dovecot as an example, but BCrypt support in glibc in general
is something that was added only somewhat recently (and I'm not even
sure if that's only for Debian-based systems or generally available [1]).
Yes, users should just use password_hash() if they need to hash
passwords. Yes, the documentation for crypt() should more prominently
point to password_hash() as the better alternative. But if crypt()'s
features are what you need, then alternatives to crypt() (e.g. a
userland implementation or FFI) certainly are going to be even worse.
Best regards
Tim Düsterhus
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=16814
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
