Php-mcrypt no longer availaible in php 7.2 but in the list of recommended php modules

nexplorer · August 17, 2018, 10:02am

Hi,

the PHP module mcrypt (increases file encryption performance) according to https://docs.nextcloud.com/server/13/admin_manual/installation/source_installation.html#prerequisites-label

But this module is no longer available in php 7.2.

Should nextcloud working flawlessly without this module?
I will install on ubuntu server 18.04

Thanks for hints.

timm2k · August 20, 2018, 8:20am

mcrypt is used by user_saml at the moment. This is the only dependency I know. If you don’t need user_saml app you can go forward to use PHP 7.2.

Regards
Timm

James_O_Stanworth · September 17, 2018, 1:18am

I have the same questions - mcyprt is deprecated - what to do?
Do I need user_saml? How do I know whether I need it? It seems user_saml is connected to security.
What I do? Using a deprecated component seems kind of odd – a comment already made else where.
Can NC actually come forward with a clear and unambigious position on this? Updating their user guides would be a great place to start? In one place php7.2 is fine (in the docs) yet they they describe an install with php7.0. What is the assumption here? Is a deprecated (or near deprecated) php-mcrypt fine to go with?

timm2k · September 17, 2018, 5:24am

Hi James,

you need user_saml if you use Shibboleth or other SAML service providers to authenticate users. If you never heard about this you can safly ignore user_saml.

You also can follow discussion at https://github.com/nextcloud/user_saml/issues/168. There is a pull request that removes the dependency for php-mcrypt https://github.com/nextcloud/user_saml/pull/236. So it should be generally resolved in next time.

Regards
Timm

James_O_Stanworth · September 20, 2018, 4:36am

Hi Timm,
Thanks for the reply. Yes I’ve seen this thread. I’d particularly taken note of the comment about using a deprecated php-mcrypt in relation to security! The writing seems to have been on the wall about problems with mycrypt for a long time (given absence of maintenance). The position seems to be “nothing to worry about”. In this case could the docs be updated so users can run an install with php7.2 (not 7.0 - as I’ve done to stick with the guidance)? The messages I’m getting are not consistent (e.g., from you – thanks! – and others (i.e., ‘go ahead this depedency is not going to affect unless using SAML’) - and - NC (who on the web install are pushing php7.0. Users (in the thread you sent or another) are avoiding installs because of this issue.
Sorry to bang on but security around NC makes me nervous!
Thanks, James