Bruce Weirdan

As far as I recall, we ignore the function definition in the callmap entirely if there's a definition for the function in stubs.

> What exactly is the purpose of the stubs? To provide additional information the callmap format does not allow, e.g. taint flows, generics, etc. An alternative to the automatic merging...

@orklah with new functions added to stubs without `@param`/`@return` tags, aren't there chances we're now missing some more detailed signatures from the call map?

> but later, @psalm-trace reports correct type That's because you traced the type *after* the constructor call. You need to use `/** @psalm-trace $param */;` (note the semicolon) to trace...

> All versions of PHP that require this library are EOL They may be EOL to PHP core developers, but they are still prevalent in the wild according to http://w3techs.com/technologies/details/pl-php/5/all...

> This library's point is to enhance security. Actually it says 'This library is intended to provide forward compatibility with the password_\* functions that ship with PHP 5.5.' right there...

@paragonie-scott I mean php upgrade, not the stored hashes upgrade. > If I suddenly switch to password_compat, then it's my responsibility to upgrade the legacy hashes to use bcrypt. Then...

@devjack > My preference would be for an exception with a minor version bump, but an error thats written to logs etc. could be equally beneficial. I'm totally ok with...

The problem with configuration switch, as I see it, is that it's not in php core, so when you upgrade it gets ignored. Though this is something Anthony, being the...

@carnage we're talking about DES hashes here. Other crypt()-generated hashes like those you mentioned are not affected by this change.