PHP RFC: Deprecate MD5 checksums from Release process

• Version: 1.0
• Date: 2017-05-30
• Author: Sara Golemon pollita@php.net
• Status: Accepted
• First Published at: http://wiki.php.net/rfc/release-md5-deprecation

Deprecate and/or remove MD5 checksums from release notes and API.

MD5 should not be considered cryptographically secure for verifying download integrity. We're already providing both SHA256 hashes and GPG signatures for this purpose. Providing MD5 as well only offers the illusion of verification and a false sense of security.

Either remove the MD5 checksums entirely and allow any remaining dependents to break (they're broken by design if they depend on the MD5 signature), or at least deprecate it for removal after a period of time.

Potentially breaks external tools which are currently using the MD5 checksum for validation. As mentioned, these tools are conceptually broken already.

Not inherently tied to a PHP version, but we could artificially connect it to the PHP 7.2 release by continuing to produce checksums for 7.1 and below.

This RFC proposes to deprecate it across versions.

All votes have50%+1 Majority required to pass:

Should MD5 checksums be left in or removed?
Real name	Remove	Keep
ab (ab)
aharvey (aharvey)
ashnazg (ashnazg)
bishop (bishop)
bukka (bukka)
cmb (cmb)
colinodell (colinodell)
dm (dm)
emir (emir)
galvao (galvao)
hywan (hywan)
jhdxr (jhdxr)
kalle (kalle)
kelunik (kelunik)
krakjoe (krakjoe)
lcobucci (lcobucci)
mike (mike)
narf (narf)
ocramius (ocramius)
peehaa (peehaa)
pollita (pollita)
rquadling (rquadling)
sammyk (sammyk)
sebastian (sebastian)
sobak (sobak)
stas (stas)
trowski (trowski)
tyrael (tyrael)
zimt (zimt)
Final result:	29	0
This poll has been closed.

Assuming the above yields “Remove”, the following question determines if we should “remove” the hashes immediately, or “deprecate” them for a period of one year prior to removal.

Remove immediately or deprecate prior to removal?
Real name	Remove Now	Deprecate
ab (ab)
aharvey (aharvey)
ashnazg (ashnazg)
bishop (bishop)
bukka (bukka)
cmb (cmb)
colinodell (colinodell)
dm (dm)
emir (emir)
galvao (galvao)
hywan (hywan)
jhdxr (jhdxr)
kalle (kalle)
kelunik (kelunik)
krakjoe (krakjoe)
leigh (leigh)
mike (mike)
narf (narf)
ocramius (ocramius)
peehaa (peehaa)
pollita (pollita)
rquadling (rquadling)
sammyk (sammyk)
sebastian (sebastian)
sobak (sobak)
stas (stas)
trowski (trowski)
tyrael (tyrael)
zeev (zeev)
zimt (zimt)
Final result:	29	1
This poll has been closed.

Votes opened at 00:30 UTC on Wed 14 June, 2017
Voting closes at 00:30 UTC on Wed 28 June, 2017

* https://github.com/php/web-php/compare/master...sgolemon:md5-deprecation

https://bugs.php.net/bug.php?id=74259