PHP RFC: Deprecate MD5 checksums from Release process

• Version: 1.0
• Date: 2017-05-30
• Author: Sara Golemon pollita@php.net
• Status: Under Discussion
• First Published at: http://wiki.php.net/rfc/release-md5-deprecation

Deprecate and/or remove MD5 checksums from release notes and API.

MD5 should not be considered cryptographically secure for verifying download integrity. We're already providing both SHA256 hashes and GPG signatures for this purpose. Providing MD5 as well only offers the illusion of verification and a false sense of security.

Either remove the MD5 checksums entirely and allow any remaining dependents to break (they're broken by design if they depend on the MD5 signature), or at least deprecate it for removal after a period of time.

Potentially breaks external tools which are currently using the MD5 checksum for validation. As mentioned, these tools are conceptually broken already.

Not inherently tied to a PHP version, but we could artificially connect it to the PHP 7.2 release by continuing to produce checksums for 7.1 and below.

This RFC proposes to deprecate it across versions.

Should MD5 checksums be left in or removed?

Should the removal be immediate or deprecated for a period then removed?

Should that period be brief (e.g. 3 months) or longer (e.g. 1 year)?

* https://github.com/php/web-php/compare/master...sgolemon:md5-deprecation

Question: Should we include the top commit on this branch which removes the archive of md5 sums from include/releases.inc ? That's surely what git history is for, no?

https://bugs.php.net/bug.php?id=74259