rfc:release-md5-deprecation

PHP RFC: Deprecate MD5 checksums from Release process

Deprecate and/or remove MD5 checksums from release notes and API.

Introduction

MD5 should not be considered cryptographically secure for verifying download integrity. We're already providing both SHA256 hashes and GPG signatures for this purpose. Providing MD5 as well only offers the illusion of verification and a false sense of security.

Proposal

Either remove the MD5 checksums entirely and allow any remaining dependents to break (they're broken by design if they depend on the MD5 signature), or at least deprecate it for removal after a period of time.

Backward Incompatible Changes

Potentially breaks external tools which are currently using the MD5 checksum for validation. As mentioned, these tools are conceptually broken already.

Proposed PHP Version(s)

Not inherently tied to a PHP version, but we could artificially connect it to the PHP 7.2 release by continuing to produce checksums for 7.1 and below.

This RFC proposes to deprecate it across versions.

Proposed Voting Choices

All votes have50%+1 Majority required to pass:

Should MD5 checksums be left in or removed?
Real name Remove Keep
ab (ab)  
aharvey (aharvey)  
ashnazg (ashnazg)  
bishop (bishop)  
bukka (bukka)  
cmb (cmb)  
colinodell (colinodell)  
dm (dm)  
emir (emir)  
galvao (galvao)  
hywan (hywan)  
jhdxr (jhdxr)  
kalle (kalle)  
kelunik (kelunik)  
krakjoe (krakjoe)  
lcobucci (lcobucci)  
mike (mike)  
narf (narf)  
ocramius (ocramius)  
peehaa (peehaa)  
pollita (pollita)  
rquadling (rquadling)  
sammyk (sammyk)  
sebastian (sebastian)  
sobak (sobak)  
stas (stas)  
trowski (trowski)  
tyrael (tyrael)  
zimt (zimt)  
Final result: 29 0
This poll has been closed.



Assuming the above yields “Remove”, the following question determines if we should “remove” the hashes immediately, or “deprecate” them for a period of one year prior to removal.

Remove immediately or deprecate prior to removal?
Real name Remove Now Deprecate
ab (ab)  
aharvey (aharvey)  
ashnazg (ashnazg)  
bishop (bishop)  
bukka (bukka)  
cmb (cmb)  
colinodell (colinodell)  
dm (dm)  
emir (emir)  
galvao (galvao)  
hywan (hywan)  
jhdxr (jhdxr)  
kalle (kalle)  
kelunik (kelunik)  
krakjoe (krakjoe)  
leigh (leigh)  
mike (mike)  
narf (narf)  
ocramius (ocramius)  
peehaa (peehaa)  
pollita (pollita)  
rquadling (rquadling)  
sammyk (sammyk)  
sebastian (sebastian)  
sobak (sobak)  
stas (stas)  
trowski (trowski)  
tyrael (tyrael)  
zeev (zeev)  
zimt (zimt)  
Final result: 29 1
This poll has been closed.



Votes opened at 00:30 UTC on Wed 14 June, 2017
Voting closes at 00:30 UTC on Wed 28 June, 2017

Patches and Tests

References

rfc/release-md5-deprecation.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1