rfc:mcrypt-viking-funeral

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rfc:mcrypt-viking-funeral [2016/03/15 16:10]
sarciszewski
rfc:mcrypt-viking-funeral [2017/09/22 13:28]
Line 1: Line 1:
-====== PHP RFC: Deprecate Mcrypt ====== 
-  * Version: 1.0 
-  * Date: 2016-01-09 
-  * Author: Scott Arciszewski, security@paragonie.com 
-  * Status: Under Discussion 
-  * First Published at: http://wiki.php.net/rfc/mcrypt-viking-funeral 
- 
-===== Introduction ===== 
- 
-Let's get rid of ext/mcrypt, which is abandonware and inhibits the growth of the language, as soon as humanly possible. 
- 
-===== Proposal ===== 
- 
-In PHP 7.1, all mcrypt_* functions will raise an E_DEPRECATED notice. 
- 
-In PHP 7.1+1 (be it 7.2 or 8.0), the mcrypt extension will be moved out of core and into PECL, where people who *really* want to install it may still do so if they can install PHP extensions from PECL. 
- 
-This RFC does not concern itself with the concept of shims or compatibility layers, and those topics are out of scope. If this RFC passes, another RFC could be drafted by interested parties to propose such a feature at a later date. 
- 
-===== Backward Incompatible Changes ===== 
- 
-Any cryptography code that depends on mcrypt will need to be refactored against openssl. This isn't as difficult as it sounds, provided you're using a trustworthy cipher (e.g. MCRYPT_RIJNDAEL_128). Based on [[https://3v4l.org/m4P2C|this 3v4l]], I can generally conclude that the following MCRYPT ciphers are not supported by openssl: 
- 
-  * GOST 
-  * TwoFish 
-  * Loki97 
-  * RC6 
-  * Rijndael-192 (not to be confused with AES-192) 
-  * Rijndael-256 (not to be confused with AES-256) 
-  * Saferplus 
-  * Wake 
-  * Serpent 
-  * XTEA 
-  * Enigma 
- 
-===== Proposed PHP Version(s) ===== 
- 
-Deprecation: Next minor version (7.1.0). 
- 
-Removal from core: The following major/minor version (7.2.0 or 8.0.0). 
- 
- 
-===== Proposed Voting Choices ===== 
-Vote "Yes" to raise an E_DEPRECATED notice in PHP 7.1 when any mcrypt function is used and to remove the extension from core in 7.1+1. 
- 
-Vote "No" otherwise. 
- 
-Since this would break backwards compatibility, a 2/3 majority is required. 
- 
-<doodle title="Deprecate then Remove Mcrypt from the PHP Core?" auth="sarciszewski" voteType="single"> 
-   * Yes 
-   * No 
-</doodle> 
- 
-This vote is opened on March 15th, 2016 and will close March 22th at 17:00 UTC as announced on list. 
- 
-===== Patches and Tests ===== 
- 
-If this RFC is accepted, I will author the patch to expunge ext/mcrypt. 
- 
-===== References ===== 
- 
-  * [[http://blog.remirepo.net/post/2015/07/07/About-libmcrypt-and-php-mcrypt|Remi on mcrypt]] 
-  * [[https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong|If you're typing the word MCRYPT into your PHP code, you're doing it wrong]] 
- 
- 
-===== Rejected Features ===== 
  
rfc/mcrypt-viking-funeral.txt · Last modified: 2017/09/22 13:28 (external edit)