Early September, it’s about 3 months before PHP 7.2 is expected to be release (schedule here). One of the changes is the removal of the mcrypt extension after it was deprecated in PHP 7.1. The main problem with mcrypt extension is that it is based on libmcrypt that was abandoned by it’s upstream since 2007. That’s 10 years of keeping a library alive, moving the burden to distribution’s security teams. But this isn’t new, Remi already wrote about this two years ago: “About libmcrypt and php-mcrypt“.
But with removal of the extension from the PHP code base (about F**King time), it would force the recommendation was done “nicely” till now. And forcing people means some noise, although an alternative is PHP’s owns openssl extension. But as many migrations that require code change – it’s going slow.
The goal of this post is to reach to the PHP eco system and map the components (mostly frameworks and applications) to still require/recommend mcyrpt and to pressure them to fix it before PHP 72 is released. I’ll appreciate the readers’ help with this mapping in the comments.
For example, Laravel‘s release notes for 5.1:
In previous versions of Laravel, encryption was handled by the mcrypt PHP extension. However, beginning in Laravel 5.1, encryption is handled by the openssl extension, which is more actively maintained.
Or, on the other hand Joomla 3 requirements still mentions mcrypt.
- Drupal 7 and up, see https://www.drupal.org/docs/7/system-requirements/php
- Lavavel 5.1 and up, see https://laravel.com/docs/5.1/releases
- Joomla, see https://downloads.joomla.org/technical-requirements
- Magento, see http://devdocs.magento.com/guides/v2.2/install-gde/system-requirements-tech.html
(Checking 2.2 RC release, as it just added support for PHP 7.1)
For those who really need mcrypt, it is part of PECL, PHP’s extensions repository. You’re welcome to compile it on your own risk.