Hi
On 7/26/24 19:33, Rowan Tommins [IMSoP] wrote:
On Fri, 26 Jul 2024, at 15:20, Larry Garfield wrote:
One thing to remind people about, the deprecations for md5(), sha1(),
and uniqid() explicitly say they cannot be outright removed before PHP
10. That's at least 6 years away. That gives a loooooong time for
documentation, tutorials, instructions, and code to be updated.
It also gives a loooooong time for us to update that documentation *before* we
start raising deprecation notices, so that there's a chance for someone to
actually know what they're supposed to do about it.
Part of the motivation of the deprecation (and my argument against the
addition of a standalone sha256() function) is simplifying the
documentation: Everything needs to be written down in multiple different
places, any changes to hash_file() will likely also need to be applied
to md5_file() and sha1_file() - and then it will need to be translated.
Given that the md5(), sha1(), md5_file(), and sha1_file() functions are
not part of the hash extension, it's also much harder for the user to
discover the incremental hashing functionality provided by hash_init().
It's much much easier to keep the documentation in a good shape if there
is a single place.
--------------
I did some updates to the documentation before this RFC went to vote,
though (and did additional ones in response to this discussion). Here
are my PRs:
https://github.com/php/doc-en/pulls?q=is%3Apr+author%3ATimWolla+hash+is%3Aclosed
To summarize the changes:
- I've completely rewritten the documentation of hash_equals().
- I updated the examples for the hash_*() functions to use 'sha256' and
to be synchronized across the different functions to showcase how the
different functions all result in the same output, given the same input.
- I cleaned up the "See Also" section to make the references from
md5()/sha1() to hash() a "one-way street". Once you discovered the
hash() functions, you shouldn't need md5() and sha1().
- I've removed the broken algorithms from the $algo parameter
explanation, leaving only 'sha256' as the opinionated example (already
merged, but not yet deployed).
Best regards
Tim Düsterhus
