Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114516 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 21961 invoked from network); 18 May 2021 17:33:50 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 May 2021 17:33:50 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 32653180211 for ; Tue, 18 May 2021 10:43:24 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 18 May 2021 10:43:23 -0700 (PDT) Received: by mail-wm1-f41.google.com with SMTP id u4-20020a05600c00c4b02901774b80945cso1988300wmm.3 for ; Tue, 18 May 2021 10:43:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=eUufp2S3vydiYwy8TDgG+HOPtoWI0hOk2l3IP56CSw4=; b=R3HL5V9P5lx/KRWPyj8VklgV9YjyyBXfpPQIUCD5ut92YStUrx0JPLHQkl1Sa6+Te8 PyZF+RLvmDez906cG3LRVv8ATcqxhl1RtGUWz7jDIH2qvkeseLuRsqZxz73ZNwZBxsEU 59ZJCmoLcm3ib2Qh8M9N2YaJOeNdGOK1iHX9Rub/HZPxmcFMpBzokVgF+LMDxdhma/UB CwYCchb1U59WuS3Jg0OS2QPGEYQUMfj/VSQbwrPS5V3Rg5BfKY0G6ox4Zh/ePNtAsBiF dBZm+bvnmGu3+h+sSrTqCc5rDXtIYD1F8xb4nmdag8fUs0/vXvaetQE4X/mAwE31WveM 46+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=eUufp2S3vydiYwy8TDgG+HOPtoWI0hOk2l3IP56CSw4=; b=PaIcCSzc4Uhv8JACHQ0R0cJLnusli4zSNEQNThyziawRtwrbYU9hCdJQyzrZF2jDD/ t3qeqamHlPWs7jf6r/MbSKuu3NmPozuEjAXwsnThUGVn+3N5uCo3nKo1lNwq5bO1UtDJ xbFk5JEXFG4wE6E/goF+EiJDfPvFSHtWOAFwW4K47fgBBgWdPx02k3lDv8c1Lnk6XcS4 YNg8SpoYN/3tUy2fqTIeFN052s6JhGRfE8MxCn0Qw9senXSwN4/3pcDbFgaqIx1B69CZ WME2fDWaf26ew6t351lDL4+Rk+Biy2c8OhYiYqqZEpu1Hqcid4kXSvMSOhNsfQxz9Auq 4Jrg== X-Gm-Message-State: AOAM533sYxiIXCCUmX4GH5p8mpR0T8QM0YpAuI46MfcfrLVRlXbVdk7D mq6d1HL7Gn2LS/M4910+hfAPn/JE+h4= X-Google-Smtp-Source: ABdhPJxyU4XBrc+9WEfiKaq4rnoF/oZtt7Za7+Hqoj+vRAajxmP/VRAJAWzMmvYg6dBIxYuij1pP0w== X-Received: by 2002:a7b:c115:: with SMTP id w21mr6166391wmi.8.1621359798036; Tue, 18 May 2021 10:43:18 -0700 (PDT) Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37]) by smtp.googlemail.com with ESMTPSA id p6sm6762136wma.4.2021.05.18.10.43.17 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 May 2021 10:43:17 -0700 (PDT) To: internals@lists.php.net References: Message-ID: <72767cd7-ffc5-c84b-523c-123ff6ef30fa@gmail.com> Date: Tue, 18 May 2021 18:43:16 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Subject: Re: [PHP-DEV] [RFC] [Draft] Add RNG extension and deprecate mt_srand() From: rowan.collins@gmail.com (Rowan Tommins) On 18/05/2021 17:19, Go Kudo wrote: > I have created a draft of the RFC. > > https://wiki.php.net/rfc/rng_extension Hi, At a glance, I think this looks like a good clear approach. I think deprecating mt_srand makes sense, but could do with a heading to make sure it's not overlooked, and include a clear statement of when it would be removed (9.0? 10.0?). It could potentially even be a separate vote, as keeping it doesn't actually harm users of the new classes. I have a few concerns with the third part of the proposal: > Also, change the following function to use the same method as random_byte() (the php_random_bytes() internal function) for processing, instead of PHP's global state. Firstly, making these functions independent of mt_srand() is a breaking change, so cannot happen until PHP 9.0 at the earliest. This could happen at the same time as mt_srand() is removed, but that connection needs to be clear in the proposal. Secondly, it seems inconsistent to make these functions use the crypto-strong randomness source, but retain rand() and mt_rand() using PRNGs. In fact, I don't see the need to change them at all - they can be documented as not for cryptographic use, as mt_rand is, and users pointed to the new API if they need something stronger. Regards, -- Rowan Tommins [IMSoP]