Hi Derick, On 2/8/15, 11:38 AM, "Derick Rethans" <der...@php.net> wrote: > >Btw, I only voted no because I don't think we should just remove it. A >reimplementation of its APIs on top of eg. Open SSL makes sense. And that >I'd vote yes for.
This idea makes me nervous. It doesn't sound at all easy and will take a lot of time and effort. Commitment to maintaining a security lib over long term is a big deal. >Remember that just removing quite often used APIs doesn't help anybody. >It is not unlikely that devs would rather rip out the encryption as a >quick fix, than porting it to quite awful other APIs, or perhaps even a >really slow PHP based implementation. I actually think that it helps users if PHP 7 moves mycrypt to PECL. The developers' quick fix is to continue to use mcrypt. In doing so they should encounter the documentation with scary warning about its long abandoned status. I'm concerned that a lot of devs relying on mcrypt are not aware of its status and/or what it means. This move would allow them to continue to use mcrypt while making it clear that its time to plan for an alternative. Tom -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
