On 2/8/15, 6:23 PM, "Stanislav Malyshev" <smalys...@gmail.com> wrote:
>The better alternative you proposing is having no mcrypt extension at >all in core. Which means the users have three choices: > >1. Rewrite all their code to a different API (with accompanying costs in >development, QA, stability, maintenance of code base now having two >APIs, etc.) >2. Do not upgrade to PHP 7 >3. Use the same extension from PECL > >Option 1 however is very expensive, so it is unlikely most of the users >will choose it. > >Both options 2 and 3 make the security situation for an average user >worse, as not upgrading means eventually falling out of supported >versions - and we're doing *very bad* in this regard, over 46% of the >users run EOLed versions now and less than 1% run current stable - and >running PECL one means most core devs will pay next to zero attention to >it. As a PHP user, I have no interest in running the latest release. I'll stay on 5.5 until the next LTS is mature. I know a lot of PHP users who have a similar attitude: it is sufficient to be on a supported version. People are scared of the bleeding edge and I think that goes a long way to explaining the 1%. Trying to improve these numbers by bringing along a crypto lib that's been abandoned 8 years ago just doesn't strike me as either justified or plausible. mcrypt is not the difference that makes conservatives like me jump onto the latest release. Nor is it going to help the 43%, which, I imagine, represents apps that aren't ever going to see further development and lazy hosting. I also disagree with your analysis. There is simply no hurry to get onto PHP 7, so I have time to get rid of mycrypt, something I must do ASAP regardless whether it is in PHP 7 or not. In any case, I'll stop discussing this now. The vote outcome won't change in the next 6.5 hours. Tom -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
