PHP RFC: Deprecate MD5 checksums from Release process
- Version: 1.0
- Date: 2017-05-30
- Author: Sara Golemon pollita@php.net
- Status: Accepted
- First Published at: http://wiki.php.net/rfc/release-md5-deprecation
Deprecate and/or remove MD5 checksums from release notes and API.
Introduction
MD5 should not be considered cryptographically secure for verifying download integrity. We're already providing both SHA256 hashes and GPG signatures for this purpose. Providing MD5 as well only offers the illusion of verification and a false sense of security.
Proposal
Either remove the MD5 checksums entirely and allow any remaining dependents to break (they're broken by design if they depend on the MD5 signature), or at least deprecate it for removal after a period of time.
Backward Incompatible Changes
Potentially breaks external tools which are currently using the MD5 checksum for validation. As mentioned, these tools are conceptually broken already.
Proposed PHP Version(s)
Not inherently tied to a PHP version, but we could artificially connect it to the PHP 7.2 release by continuing to produce checksums for 7.1 and below.
This RFC proposes to deprecate it across versions.
Proposed Voting Choices
All votes have50%+1 Majority required to pass:
Assuming the above yields “Remove”, the following question determines if we should “remove” the hashes immediately, or “deprecate” them for a period of one year prior to removal.
Votes opened at 00:30 UTC on Wed 14 June, 2017
Voting closes at 00:30 UTC on Wed 28 June, 2017