Hi! > On 2/8/15, 11:38 AM, "Derick Rethans" <der...@php.net> wrote: >> >> Btw, I only voted no because I don't think we should just remove it. A >> reimplementation of its APIs on top of eg. Open SSL makes sense. And that >> I'd vote yes for. > > This idea makes me nervous. It doesn't sound at all easy and will take a > lot of time and effort. Commitment to maintaining a security lib over long > term is a big deal.
The better alternative you proposing is having no mcrypt extension at all in core. Which means the users have three choices: 1. Rewrite all their code to a different API (with accompanying costs in development, QA, stability, maintenance of code base now having two APIs, etc.) 2. Do not upgrade to PHP 7 3. Use the same extension from PECL Option 1 however is very expensive, so it is unlikely most of the users will choose it. Both options 2 and 3 make the security situation for an average user worse, as not upgrading means eventually falling out of supported versions - and we're doing *very bad* in this regard, over 46% of the users run EOLed versions now and less than 1% run current stable - and running PECL one means most core devs will pay next to zero attention to it. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
