pollita

Sara Golemon

Contents

PHP RFC: Deprecate MD5 checksums from Release process

Deprecate and/or remove MD5 checksums from release notes and API.

Introduction

MD5 should not be considered cryptographically secure for verifying download integrity. We're already providing both SHA256 hashes and GPG signatures for this purpose. Providing MD5 as well only offers the illusion of verification and a false sense of security.

Proposal

Either remove the MD5 checksums entirely and allow any remaining dependents to break (they're broken by design if they depend on the MD5 signature), or at least deprecate it for removal after a period of time.

Backward Incompatible Changes

Potentially breaks external tools which are currently using the MD5 checksum for validation. As mentioned, these tools are conceptually broken already.

Proposed PHP Version(s)

Not inherently tied to a PHP version, but we could artificially connect it to the PHP 7.2 release by continuing to produce checksums for 7.1 and below.

This RFC proposes to deprecate it across versions.

Patches and Tests

References

Votes

An option needs 50%+1 votes to win

Should MD5 checksums be left in or removed? (100% approved)
User Vote
ab Remove
aharvey Remove
ashnazg Remove
bishop Remove
bukka Remove
cmb Remove
colinodell Remove
dm Remove
emir Remove
galvao Remove
hywan Remove
jhdxr Remove
kalle Remove
kelunik Remove
krakjoe Remove
lcobucci Remove
mike Remove
narf Remove
ocramius Remove
peehaa Remove
pollita Remove
rquadling Remove
sammyk Remove
sebastian Remove
sobak Remove
stas Remove
trowski Remove
tyrael Remove
zimt Remove
Remove immediately or deprecate prior to removal? (100% approved)
User Vote
ab Remove Now
aharvey Remove Now
ashnazg Remove Now
bishop Remove Now
bukka Remove Now
cmb Remove Now
colinodell Remove Now
dm Remove Now
emir Remove Now
galvao Deprecate
hywan Remove Now
jhdxr Remove Now
kalle Remove Now
kelunik Remove Now
krakjoe Remove Now
leigh Remove Now
mike Remove Now
narf Remove Now
ocramius Remove Now
peehaa Remove Now
pollita Remove Now
rquadling Remove Now
sammyk Remove Now
sebastian Remove Now
sobak Remove Now
stas Remove Now
trowski Remove Now
tyrael Remove Now
zeev Remove Now
zimt Remove Now