Hi
On 7/26/24 15:13, Rowan Tommins [IMSoP] wrote:
On Fri, 26 Jul 2024, at 12:58, Tim Düsterhus wrote:
I think you are expecting a little too much from a beginner that is
following "the modern PHP tutorial" if you expect them to critically
question whether the tutorial is actually good or not. They are likely
already struggling with syntax and explaining the difference between
"if" and "while". You wouldn't believe how often I've heard the term
"if-Schleife" (if loop) in German.
I think you are expecting a little too much from a beginner if you think they will see the message
"md5() is deprecated", and research up to date advice on hashing algorithms, rather than
asking ChatGPT how to make the code work, and replacing it with "hash('md5', ...)".
I am not expecting that from a beginner. I am expecting two things:
1. That the beginner switches to a tutorial that does not emit any error
messages or warnings, because they realize that the tutorial is not as
good as it claims to be.
2. That (1) leads to the outdated tutorials falling out of favor with
regards to search engines or alternatively that the outdated tutorials
are updated to no longer be outdated.
CRC32 does not claim to be a cryptographically secure hash algorithm.
Its use case is completely different.
As an inexperienced user looking at the PHP manual for hash() and hash_algos(), how would
I know that? It's right there in the list, just after something called
"adler32".
I expect the inexperienced user to look at existing tutorials or code
snippets, rather than the reference documentation: If they are
inexperienced, they would not even know what to look for in the
documentation.
That also ties into (1): I hope that the deprecation results in better
tutorials / making bad tutorials less attractive.
Of course that doesn't mean we shouldn't improve the documentation, and
I'm seeing that Christoph and Jim already started doing so.
I'm seeing the sarcasm indicator, but I'm compelled to point out that
SHA-256 and SHA-512 are both SHA-2. If one is broken, it is likely that
the other is as well.
Again, you know that, but do the users you're trying to help by deprecating sha1()? I'm a
reasonably experienced developer, and I have no idea why SHA-512 would exist if it's not
in some way "better" than SHA-256.
See above. Also: Really any choice from the SHA-2 or SHA-3 family is
better than both MD5 and SHA-1 and I would expect users to generally
gravitate towards things they have heard about before and you really
need to try hard not to have heard about SHA-256 before. Wikipedia is
also helpful regarding this topic.
Best regards
Tim Düsterhus
