Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118303 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 93318 invoked from network); 25 Jul 2022 14:45:13 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Jul 2022 14:45:13 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B956C1804AB for ; Mon, 25 Jul 2022 09:43:02 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 25 Jul 2022 09:43:02 -0700 (PDT) Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-31f41584236so7919647b3.5 for ; Mon, 25 Jul 2022 09:43:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WdGzoFNqkretKkzuuZjiOPDSsXkgz11AV9a0rOHl/eo=; b=AB0kMnP+S1HKNPAhxVag20Y527qFBMllzpJVXpqmCyDxiOFA91r/jovq+nuADRbz3M WTlqsFHX9/T/pJlftuhDG035eVCRyqSlegaOUKFZADAy/RPe7nE/Qycom5yWYj+b5ahb k9unZmqFTtKrFcsfxn21n5ICWNBCQ7xAYJNti7fK78HadRMVeGqJEykUNAkll2EAMBvN 5ziF499r7PaxvfQekVYXpPd47/pyBrk7pk1ZR2tWKTnZYIniL0E1aoaUBlay/qlzbSY/ lpjzESFE10WIJIvh0BgZDtF8rbM362iHOdgy8451He8PtDb4sqOPlSyXo9yEYSyL9dDb 8EGQ== X-Gm-Message-State: AJIora+WkwAWL0DuVq9Wnf6SSKy1+VaURqLCX8y6Dj3Jr/uOWp3ZposH Z+RM6pvH23q2MLDqfd/qayglxmDPrRl0almFDr6mDA== X-Google-Smtp-Source: AGRyM1s+QVN/ZLeL3JR39BLmNsAoJhG8gj9yoMhtwz0VPsBqUBnCt0TsX938M7A0GiOyyzF95NPUeuidG+15R+mpWek= X-Received: by 2002:a81:9c13:0:b0:31e:d5fb:1c76 with SMTP id m19-20020a819c13000000b0031ed5fb1c76mr8709108ywa.21.1658767381679; Mon, 25 Jul 2022 09:43:01 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 25 Jul 2022 11:42:51 -0500 Message-ID: To: Go Kudo Cc: Jakub Zelenka , PHP internals Content-Type: multipart/alternative; boundary="0000000000008ce44b05e4a3e015" Subject: Re: [PHP-DEV] What do you think CSPRNG in PHP From: pollita@php.net (Sara Golemon) --0000000000008ce44b05e4a3e015 Content-Type: text/plain; charset="UTF-8" On Mon, Jul 25, 2022 at 7:08 AM Go Kudo wrote: > Indeed, But ext-openssl is not always available. > To use it in a ext-session, etc., it must be bundled reliably. > Which means that users can generally call `random_bytes()/random_int()` for an always available, but maybe not most performant CSPRNG source, or if they need those extra cycles, they can make sure OpenSSL is installed and available and call that API instead. Library authors can even abstract this away using function_exists() and a graceful fallback to random_int(). I think it's okay to trust developers to know how to program well, and to learn when they don't. -Sara --0000000000008ce44b05e4a3e015--