Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114534 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 31580 invoked from network); 20 May 2021 14:26:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 20 May 2021 14:26:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3936C1804D8 for ; Thu, 20 May 2021 07:36:45 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 20 May 2021 07:36:44 -0700 (PDT) Received: by mail-lj1-f179.google.com with SMTP id w15so19999514ljo.10 for ; Thu, 20 May 2021 07:36:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OjY1W55JQnIbhvYNlMWAjb/VmjxjOIeqLgQX5h5wF6U=; b=gJuhT3AuX8wsPIvARRY6bHm9DoWRyjrIbpvAaawBF+OeR7FZLDcgAg2LxRS9YJL6Zp OtqE2DS1dTFaPHgIjulHtsy4aFU/5co7zRy9tTrK6riunw2UxcSEXr7EVaXzVuH3bY6e 6ag8oJIhsra3wMlOlyBGkvNd0hN3UvCk8mnw550rT+G8XPqB6OA4kjA0rSQHEkkZl0dt gNjlHAmIdd8SrDuRd30eVsucS1lalxyy+pt6/qEwiH3VS1a3riE3zQ9wUWOpGfutC2r4 Kk9RzarI7sG5X+2iKpl87Y+x8YLGmmnbtBGRYzsADlKeCBzudfIacujiot8PgGlFhwU4 nYug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OjY1W55JQnIbhvYNlMWAjb/VmjxjOIeqLgQX5h5wF6U=; b=Iu+UnzumU3i5eOPqJeUSEmzCpt6yHfGA60SJtDs+bet6OKUSx4DnzDAummRmg8XH72 mIx9H7AQUBjH6KkENgaUEU4PfRl7dQHmG96zIHFozO4ShpYU4IshTdQBXP64smjOF8M4 +wmvMf8xuew2J5mqZ+PM7XMESwCtu3/0+/aQjaIyAlZ2yztzi6s1z7W8C+d+nmEn6g/b yZfD87BxmGt/k3yXFEcEp5DQ0z/CnhSItkWQH1I8UXEGpmtncjk81xfYEtOagEDqQXsA 9LU5r88Gwl0SNK5o3w9Jxq0L3lLo7hyvKcwNfptxXWjJwJavGsB60KfgG/pXt0W65WdG DhrQ== X-Gm-Message-State: AOAM531KxTgzE3SstBXu9Vna07tSA0EvUb/O3UV3Im8l8hjMhyLT09BM bpuClXvNLXWJcdwf8jx9haIAOKSki9BTGVXoA63KSbcbFFOj X-Google-Smtp-Source: ABdhPJzlal0vkOqM9J4y1SQLhV4CRJEpc55+wfiG94uyrS7cYu1E7+cV1Q6dxKlI+B/HCrfTb/QXYfStSQE5dIrl0ag= X-Received: by 2002:a05:651c:105a:: with SMTP id x26mr3285981ljm.440.1621521401070; Thu, 20 May 2021 07:36:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 20 May 2021 16:36:29 +0200 Message-ID: To: Go Kudo Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000001b497505c2c3df66" Subject: Re: [PHP-DEV] [RFC] [Draft] Add RNG extension and deprecate mt_srand() From: guilliam.xavier@gmail.com (Guilliam Xavier) --0000000000001b497505c2c3df66 Content-Type: text/plain; charset="UTF-8" On Thu, May 20, 2021 at 2:42 PM Go Kudo wrote: > Sorry. I couldn't make it in time for my lunch break. > No worries, there was quite a lot to read/reply ;) > > How many bytes is `Source::next()` supposed to generate? Is it even > intended to be called directly (vs `Randomizer::generateBytes(int > $length)`)? > > No, this is not intended to be used directly. > In fact, as many people have pointed out, I think it would be more > appropriate to merge it into a single class. > > As per the original implementation (ext/orng), I didn't think it needed to > be separated originally. One of the comments on a previous RFC suggested > that it would probably be better to separate them, and I took that into > account. > I see. Sorry that you had so many back-and-forth suggestions :s I guess that the simplest-to-use API (for the main intended/expected use cases) is more likely to get acceptance. > > About the `MT19937PHP` variant: The PHP manual for `mt_srand()` > describes the `MT_RAND_PHP` mode like this: "Uses an *incorrect* Mersenne > Twister implementation which was used as the default up till PHP 7.1.0. > This mode is available for backward compatibility."; do we really need/want > to port it to this new extension? > > This is for backward compatibility. If it is not needed, we would like to > eliminate the implementation itself. > Well, to keep the language core clean, maybe this should be provided by an > appropriate external extension. > Yes, I think that a new core extension for PHP 8.1 needn't [or even shouldn't] provide BC for an incorrect implementation that is not used anymore since PHP 7.1 (unless someone here argues?). > > - `PlatformProvided` feels like the "odd one out" here: its constructor > [assuming same as previous RFC] doesn't take a seed, and it isn't > serializable; I understand why, but the main point of the RFC is "RNG > reproducibility", which this class cannot achieve. > > You're absolutely right. I would like to remove this. > *Caution though:* after your recent discussion with Rowan, if you remove the "change shuffle()/str_shuffle()/array_rand()'s internal RNG from mt_rand()-like to random_bytes()-like" part from the proposal, then this class becomes potentially "useful" again, not for reproducibility but for shuffling an array/string by a "truly random" [actually CSPRNG] algorithm, isn't it? > > > Technical, about `Randomizer::generateFloat()`: Is the returned float > guaranteed to be finite (i.e. never NAN nor +/-INF)? And may it ever return > -0.0 (negative zero)? and even if not, is 0.0 twice as likely as other > floats? > Also, no `generateFloat(float $min, float $max)` variant like for > `generateInt()`? > > As a matter of fact, we believe that the functions provided by this class > are sufficient for `mt_rand()`, `shuffle()`, `str_shuffle()`, and > `array_rand()` equivalents. At most, the equivalent of `random_byte()` > might be provided. > I'll reorganize these. > Sorry I'm not sure to understand your answer here, are you planning to remove generateFloat() and generateBool()? Well if generateBool() is a shorthand for `(bool) generateInt(0, 1)` [or `generateInt(PHP_INT_MIN, PHP_INT_MAX) >= 0`] then it's not necessary, but maybe convenient? As for generateFloat(), I didn't know if you intended something like `(float) generateInt(PHP_INT_MIN, PHP_INT_MAX) / PHP_INT_MAX` or rather "call generateBytes(8) then reinterpret those 64 bits as an IEEE 754 double [in C, not PHP]"? But it's true that I haven't seen many people requesting new "random_bool()" and/or "random_float()" functions, so... By the way, for `generateInt()` (without explicit $min/$max args), I assume that $max defaults to PHP_INT_MAX, but does $min default to PHP_INT_MIN or actually 0 [if it's like [mt_]rand() I guess that the answer is probably 0, but that could be written clear in the RFC]? > > Thanks for the detailed remarks. Based on these, I would like to clean up > the RFC. > > Regards, > Go Kudo > Regards, -- Guilliam Xavier --0000000000001b497505c2c3df66--