Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:120597 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 66771 invoked from network); 15 Jun 2023 18:25:05 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 15 Jun 2023 18:25:05 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C98B8180209 for ; Thu, 15 Jun 2023 11:25:03 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 15 Jun 2023 11:25:03 -0700 (PDT) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-3f8cec6641bso23474215e9.1 for ; Thu, 15 Jun 2023 11:25:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686853502; x=1689445502; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=wU0NO2uQmhAY+eVCnUzMyaPjinF8ib6Nla4JrvSUV5s=; b=XZGKDoljwBdJIemAt6IgDGJPbVd4BL5ktcsnc4sUWlfbxZnGItPei49npXeSoFPIvh DB2+LwnbkRBlGYj91qlERrMJSE96ejN9HNoSVM8pCNMbgihO3HDoifTKWG4S2KqcSN6v w/AKwQCC0lH5VApYvApjsGHtCajsxSngkkFkogCJN6rR01PTZifhrcCOQsHjTQxUqykk u/pi47OTyEqxgMB4gyI1a5jrsc2LJ+aToGBnSZSGJWfPJlT0RchWzaT1o5zyr7wlr5oP vli/kCu0pI0TtuhOHqJNKhiqGyJywK585aS/BXNrNtxOYQ1niLXd0pYlv1t9jIeAzDrS KVxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686853502; x=1689445502; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=wU0NO2uQmhAY+eVCnUzMyaPjinF8ib6Nla4JrvSUV5s=; b=PuCoxQ+gHcxLlfUjzY47yMZEEg3rsw+u+qCOMgqtx61qUKKC/eOEU2lJq9PEEnBZ0h tgxskCgkDEwxsXlNtM+n+UjHVXdsd52CA2rPNFdOCPVSjswr7gPsBLXC/587E3z+1wRO /g4IjghQW3W4xto4sG18jn/aBDCBkzPsuQVW8YmjHoBBaC/EoJFpxJ7DIoh0aQkFCsIp ZHkQ0SxoXIfW72XKuWEPbgTjXWVcBNoPt9ti0y6zOng9KGRg90d91fKRUEkrcr6+6vjw 1MfPUd8g79MAX+SjLayXj/xZraixhaOXmXduDcLUYKHE+FA3pHR0SR30QKnnxm+XtqBZ nrsA== X-Gm-Message-State: AC+VfDxX8bPzx+uUr9bdha5k9h9Q0FCg9nwz3dHcUy7R88lNwqKREtFB R3qHVyOWRlahrGmFgCj/IwGDnJtXln8= X-Google-Smtp-Source: ACHHUZ7eOvIXVPKldSKZtlw1j1WdTJVSPYt4APFswD9uFrJ0Ru7O/uFhHW1Djay/Y+hCw3IAAAw99w== X-Received: by 2002:a05:600c:ce:b0:3f6:cdf7:a741 with SMTP id u14-20020a05600c00ce00b003f6cdf7a741mr57484wmm.25.1686853501598; Thu, 15 Jun 2023 11:25:01 -0700 (PDT) Received: from [192.168.0.22] (cpc83311-brig21-2-0-cust191.3-3.cable.virginm.net. [86.20.40.192]) by smtp.googlemail.com with ESMTPSA id n11-20020adfe78b000000b0030fc666686bsm10680108wrm.85.2023.06.15.11.25.00 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 15 Jun 2023 11:25:00 -0700 (PDT) Content-Type: multipart/alternative; boundary="------------ZwWyGqlXrfHDPjSJBgZYs51J" Message-ID: <4cf80ee8-d1df-a021-78db-db9b68e8eef9@gmail.com> Date: Thu, 15 Jun 2023 19:24:59 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 To: internals@lists.php.net References: <9ea3a5af-679d-ad63-f9c2-e0d8d148db3f@bastelstu.be> <5ca4e382-8284-1cd0-696f-0dfd693523f8@bastelstu.be> <5604f988-5ca5-6aca-72ee-8b45320a9836@bastelstu.be> Content-Language: en-GB In-Reply-To: <5604f988-5ca5-6aca-72ee-8b45320a9836@bastelstu.be> Subject: Re: [PHP-DEV] [RFC] [Discussion] PHP 8.3 deprecations From: rowan.collins@gmail.com (Rowan Tommins) --------------ZwWyGqlXrfHDPjSJBgZYs51J Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 15/06/2023 13:14, Tim Düsterhus wrote: > Looping back to the beginning of my email: The recommended replacement > is random_int() which is available for years, but the "organic" > migration did not really work. I think that's partly because, rightly or wrongly, random_int() is not generally viewed as a universal replacement for rand()/mt_rand(). For instance, consider the opening description in the manual for random_int(): > Generates cryptographic random integers that are suitable for use where unbiased results are critical, such as when shuffling a deck of cards for a poker game. And the Caution on the manual for rand() and mt_rand(): > This function does not generate cryptographically secure values, and /must not/ be used for cryptographic purposes, or purposes that require returned values to be unguessable. Note that both talk about using random_int() *in particular situations*, not as a universal replacement. Add to that the scary fact that random_int() can fail with an exception (the technical detail of how unlikely that is probably goes over the head of the majority of PHP programmers), and the perception that it's significantly slower (which may or may not be true, or relevant to most users), and many people will be actively choosing not to use it when they don't need its guarantees. On the other hand, I'm sure you're right that there are people misusing rand()/mt_rand() in contexts where they really should use something secure. Maybe with improved documentation at the same time, a deprecation could be OK; but it would be worryingly easy to say "deprecate first, we'll get round to the documentation later", and have lots of confused users who think we're suddenly deprecating something that's been working fine for 20 years. Regards, -- Rowan Tommins [IMSoP] --------------ZwWyGqlXrfHDPjSJBgZYs51J--