Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118306
Return-Path: <kudo.go.1133@colopl.co.jp>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1851 invoked from network); 28 Jul 2022 03:15:04 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 28 Jul 2022 03:15:04 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 7ABA81804D0
	for <internals@lists.php.net>; Wed, 27 Jul 2022 22:13:31 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <kudo.go.1133@colopl.co.jp>
Received: from mail-yb1-f176.google.com (mail-yb1-f176.google.com [209.85.219.176])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 27 Jul 2022 22:13:30 -0700 (PDT)
Received: by mail-yb1-f176.google.com with SMTP id j195so1561908ybj.11
        for <internals@lists.php.net>; Wed, 27 Jul 2022 22:13:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=colopl.co.jp; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=o3kBQWmH/ZOF8/nD2nHmg9VvPjuiJNoZhm7MiUrIzSA=;
        b=GAIxreLwZ6drZUQ7aDeVuBnCHMm1uRBJ4X5L2TuBbw6fqyAmM0G5tjuqAFt6+cb8tV
         rnvt+kpeB2y4hvN+LFR7dsqFj2daH1UuXTvLB0lJ95LBrOD630/MVAbFLT3zg7Q17zyR
         b/LYTcO9rWDP0Ttx/pH4X756JrBm3/KPp4AflwUGqglT7fKr5G/u/xW4E4dFV/6mucsB
         Ja5kSdNTpqB2KgatvWjky7keVZ1bVKrY9rZYeDEP4zHSQpHbmM4MwwgxcsONE/oqRX3d
         QTktvu1ZzQO+sbJDcqWSt49mCPyUTOtItLDjj+e1UcMj2G5Hf9eCsFetmZy+ZCe/zZsZ
         qeDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=o3kBQWmH/ZOF8/nD2nHmg9VvPjuiJNoZhm7MiUrIzSA=;
        b=hg8KOUM2tdgAdR4QAPQ0MlQc51ptRDecM9v4ucSofCDTWsZ8mYkRazSOotCx8CutXb
         lXb6m5fJ3xxOkReZvftRG+7LWmeX0aNYfD3nx2QXlxaOY0BjO/n8Jq5XDFuzHpbwM3wP
         +LhK5JZZjY9/+2uSS6og5tuazeIFUq02bpBv8WhhO5jEHUZXJkPZRyrcFNUwpBU8Yf1f
         DaILzV6MseCmOwTXNofh5MIn/K84Qu0TVhEuBHLeghKavEC28ztimcZZWYaJpkJTQ4Ua
         NBvX05/HAkHRrOMyV62t0gXT6TSg+GFze1kUMQPMNX6d9/49tcSgdX2iL8BLxDfHYvqB
         wS9Q==
X-Gm-Message-State: AJIora+pXULs602cRqW47aVPX9XxiBX8RjFIGOMjT8EDbHQ+IAPcm+Mf
	nR1s4bqumgtOtLIhrdILqZhftRUaOwisXo3V6a/4cjyfgglq
X-Google-Smtp-Source: AGRyM1uzHOgth+40vU7M5z+I2PoYxhX30xxnqppUnenBmiM2WIC4NhklfqhZbic2nYOYVz7LOThT35SKm9W6IR6LTp8=
X-Received: by 2002:a25:378d:0:b0:671:80c0:45e7 with SMTP id
 e135-20020a25378d000000b0067180c045e7mr5653894yba.375.1658985210331; Wed, 27
 Jul 2022 22:13:30 -0700 (PDT)
MIME-Version: 1.0
References: <CABTDVhC4J8WuKj4SdVK6hbZX2k7qrPDVCQ2g1Yb_4k4Hf5MEQQ@mail.gmail.com>
 <aa395f78-aebe-d52c-a419-aa0effeb64df@bastelstu.be> <68573dc9-90b7-37c2-eadc-20de2aa03fd8@bastelstu.be>
In-Reply-To: <68573dc9-90b7-37c2-eadc-20de2aa03fd8@bastelstu.be>
Date: Thu, 28 Jul 2022 14:13:19 +0900
Message-ID: <CAMs36HfAuhNvREvYjtx4FPWga7_Qo5HFbJNpyGn=twY0Kw3kDg@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>, internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000265cba05e4d698e7"
Subject: Re: [PHP-DEV] What do you think CSPRNG in PHP
From: g-kudo@colopl.co.jp (Go Kudo)

--000000000000265cba05e4d698e7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

2022=E5=B9=B47=E6=9C=8828=E6=97=A5(=E6=9C=A8) 1:47 Tim D=C3=BCsterhus <tim@=
bastelstu.be>:

> Hi
>
> On 7/16/22 23:33, Tim D=C3=BCsterhus wrote:
> > Personally I likely wouldn't have merged the PR in question for the sam=
e
> > reasons. But at least in that case glibc is at fault :-)
>
> For those following along:
>
> It turns out the glibc "userland" implementation of arc4random() was
> questionable and was simplified to be a relatively simple wrapper around
> getrandom():
>
> https://github.com/php/php-src/pull/8984#issuecomment-1195986646
>
> and
>
> https://sourceware.org/pipermail/libc-alpha/2022-July/140939.html
>
> Best regards
> Tim D=C3=BCsterhus
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>
Hi

Thank you. After considering various points of view, I realized that my
proposal is very dangerous. The language side should not be working on
something that will cause confusion even at the libc layer.

Also, the newly discussed vDSO implementation of getrandom (which I see no
safe way to do at the moment) seems like a better option that would benefit
all Linux distributions. Perhaps waiting for this is the better option than
anything else.

Thank you!

Regards,
Go Kudo

--000000000000265cba05e4d698e7--