Hi, On Mon, Sep 8, 2025 at 4:48 PM Tim Düsterhus <t...@bastelstu.be> wrote:
> Hi > > Am 2025-09-05 17:53, schrieb Nicolas Grekas: > > Hello internals, > > > > Following the discussion that started at > > https://externals.io/message/128226#128456 I wrote this RFC to > > formalize > > our consensus on the topic. > > > > TL;DR, this is about converting the deprecation of __sleep and __wakeup > > to > > a documentation-based soft deprecation: > > https://wiki.php.net/rfc/soft-deprecate-sleep-wakeup > > Thank you for the RFC. I have some comments: > > 1. > > I disagree with the phrasing that the RFC passed with a “narrow margin”. > While it is technically true, that this is the narrowest margin for > accepting an RFC, the necessary margins are already biased in favor of > not accepting an RFC. That the RFC was accepted means that a significant > majority of voters were in favor of the deprecation. I did not vote, > since I did not have sufficient time to form an opinion on the RFC, but > given the knowledge I've gained as part of the discussion I would now > vote in favor of the RFC. > > I think the point here was that it was close and the RFC itself was misleading and omitted some important points that would like change the final result. > 5. > > The serialization mechanism is also a security sensitive part of the > language, the fewer moving parts there are, the better. Security is part > of the motivation for me. > > Could you be more specific here? We do not consider issues (crashes and similar) resulting from unserializing of the serialized string as security issues because it must not come from the untrusted source (see https://www.php.net/manual/en/function.unserialize.php ). I don't remember any security issue in serialize / unserialize since this rule was set. Kind Regards Jakub
