Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120586
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33459 invoked from network); 15 Jun 2023 12:14:43 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 15 Jun 2023 12:14:43 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5F1E01804F2
	for <internals@lists.php.net>; Thu, 15 Jun 2023 05:14:42 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 15 Jun 2023 05:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1686831280;
	bh=VOc6D5OQwVuSDZDIcMo6y6/u7WESgQQmjPd63diDTXo=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=Xps4UMPBbkENL+8CT4kHwb4sI6twE+ur9dB1FTH3ismDEn/1Wku/2mif0I+OJ7cXa
	 pL6UPd2LbwQYfJZt+9o4UME8IZd6GSnrS8qDEL7aapR9VluhZTKGXPH7rpvlTlqHjE
	 iu7nD3LVoCM1zqBOLjLNLfX9G8LXkXv0eRVIY/wJTAmtuBOgJwAMCHIbixZhemgIUw
	 F24ue5PvJwrkBQtCtyP3nOjmWfhLFXVfdA98KCqS2jd0ptPMw+Ou2WXroh4xGIIDlY
	 gJmvXPSFPfVgy4sqrYcE6W9sKAIDjN0vsO2W0TTgc1OJyMKx49ENlWX5onJfhwm1bs
	 +0TTxpwMMYYfg==
Message-ID: <5604f988-5ca5-6aca-72ee-8b45320a9836@bastelstu.be>
Date: Thu, 15 Jun 2023 14:14:38 +0200
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAH5C8xWAsRV+8h-tZ2Xq0=tn753kbSQX=KSEYsE2fWEtQVMrew@mail.gmail.com>
 <CAMs36HfmXuUJWJ0uih+Pj_vui4wG4vy3OTMmmspGmpP9h_gvgw@mail.gmail.com>
 <9ea3a5af-679d-ad63-f9c2-e0d8d148db3f@bastelstu.be>
 <CABTDVhDPLwBHDDzfXcHhs4VZNMHswWqum9muKgZcA63sgMCZdg@mail.gmail.com>
 <5ca4e382-8284-1cd0-696f-0dfd693523f8@bastelstu.be>
 <CAH5C8xWnAjep7kkTSg3=koBd7U0XuBkwF0-k61Mvv1J-m5yRiQ@mail.gmail.com>
 <CALKiJKrP5n=i_MLqny_+bxVyUopQZYvKYrO0wgCvvFDtnji_=Q@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CALKiJKrP5n=i_MLqny_+bxVyUopQZYvKYrO0wgCvvFDtnji_=Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] [RFC] [Discussion] PHP 8.3 deprecations
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 6/15/23 13:46, Rowan Tommins wrote:
> While I agree with the logic of deprecating mt_rand() in general, I do
> think it's too early to do so in 8.3. The Random extension is very new, and

To be clear: The recommended replacement for mt_rand() for the majority 
of use cases / applications is random_int() which is available since 
7.0, not the OO API that was added in 8.2.

I've personally replaced all uses of mt_rand() / rand() with 
random_int() at work a while ago and also sent upstream PRs to libraries 
we use where appropriate.

> still isn't fully documented in the official manual (e.g.
> https://www.php.net/manual/en/random.examples.php is a blank placeholder)

Yes, unfortunately I could not yet get around to further completing the 
documentation (and will likely not in the nearer future).

Not to diminish that argument, I'd like to note, that around the release 
of PHP 8.2 I worked on the documentation, starting with the important 
parts first: The newly added API and especially the Randomizer methods 
*are* already documented with regard to parameter and return value 
explanation and (real-world) examples. In fact think the documentation 
is in a better state than large parts of ext/intl.

If anyone wants to help with the documentation, feel free to send PRs. 
I'm happy to review and advise! :-)

> let alone in third-party tutorials. I think there should be a "soft
> deprecation" period where we improve the guidance around which methods to
> use in which cases, and allow for some "organic" migration before raising
> notices for such a commonly used function.

As part of writing the documentation for the OO API I also worked on 
updating the references and examples for existing functions and adding 
new warnings. For example mt_srand() (which is the main cause of 
concern) now has this large “Caution” note with regard to the seed size:

https://www.php.net/manual/en/function.mt-srand.php

Looping back to the beginning of my email: The recommended replacement 
is random_int() which is available for years, but the "organic" 
migration did not really work. It's trivial to find (security-sensitive) 
code that *should* use random_int(), but uses mt_rand() using GitHub's 
code search. That's my main reason for the deprecation - folks don't 
read documentation and instead copy from old tutorials and StackOverflow.

> If the RFC stays as is, I will cast a No vote on that question, but I
> thought I'd raise the concerns early to avoid surprise.

I fully expected that part to be the most contentious one in the RFC and 
if everyone agreed, we would not need to hold a vote. Even if the 
deprecation is ultimately declined, I think it's useful to at least have 
held the vote for two reasons:

1. It further raises awareness.
2. It gives additional information to work with.

Best regards
Tim Düsterhus