Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72997 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6275 invoked from network); 8 Mar 2014 00:19:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Mar 2014 00:19:41 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.49 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.49 mail-la0-f49.google.com Received: from [209.85.215.49] ([209.85.215.49:38078] helo=mail-la0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/A5-57079-B126A135 for ; Fri, 07 Mar 2014 19:19:40 -0500 Received: by mail-la0-f49.google.com with SMTP id mc6so3227205lab.22 for ; Fri, 07 Mar 2014 16:19:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=CE3nGCRl77uAcymVouyebmfqqe9CVky4Qppr7n7glfo=; b=JlT3lyvQB+Eh0gI3DInHfeHim9b5/LwWLa689D+usH+HbMWlvQ4fmwBOnZuoImrXO7 8xxvzuOoZF84H+kN/gItezx+ktqLCQuVXlzHD4I6GGHA3DTOPaRe/fD2hL6dNV5SYHEk E7i2wHY8XUpoKwkW0KkO9piup8sV408mlBFqWy7LT3uCBD8LKzZoCJ+a9BiG+tPl4sBd Ehkw0BF6RxwHIjYETDXqnf3r14wlEUfM/L+/QYhWkFexA7nILhzy9zwtNEq7sg/TKerk 6kVsar2XN3nRFVmZkCP+uGnqudk0L+ZBRC/6+Gin9yeAZvoFZd7mLIeWSb6S/V1wm4js krLA== X-Received: by 10.112.136.71 with SMTP id py7mr9576883lbb.26.1394237976712; Fri, 07 Mar 2014 16:19:36 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.102 with HTTP; Fri, 7 Mar 2014 16:18:56 -0800 (PST) In-Reply-To: References: Date: Sat, 8 Mar 2014 09:18:56 +0900 X-Google-Sender-Auth: uaW9aUkHaj1XpUBchSJs0rB2_mk Message-ID: To: Pierre Joye Cc: Nikita Popov , PHP internals Content-Type: multipart/alternative; boundary=089e01182f34559b5d04f40d53c3 Subject: Re: [PHP-DEV] Default mcrypt_create_iv() to /dev/urandom From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e01182f34559b5d04f40d53c3 Content-Type: text/plain; charset=UTF-8 HI all, On Sat, Mar 8, 2014 at 2:18 AM, Pierre Joye wrote: > > One potential issue when using /dev/urandom is that on some systems > > (notably Linux, but not BSD) it will not block even if it can't gather > > enough initial entropy for seeding the CSPRNG and as such produce > > predicable outputs. This condition can only occur immediately after > system > > startup and as per the /dev/random man page [1] this is mitigated by "all > > major Linux distributions [...] since 2000 at least" by saving a seed > file. > > > > As such I would suggest defaulting the mcrypt_create_iv() $source > parameter > > to MCRYPT_DEV_URANDOM. Objections? > > I have no objection as uramdom is good enough for 99.999% of php usage. I have no objection neither. Pierre has proposed unified RNG/PRNG source setting. I would like to see this in 5.6 and make php.ini's PRNG the default. Mess would be growing without unified RNG/PRNG. If there is unified PRNG setting in INI, I'll take care session module to use it just like encoding settings. i.e. Specific setting has more precedence than general setting. Regards, P.S. Thank you for taking care of this, Nikita. -- Yasuo Ohgaki yohgaki@ohgaki.net --089e01182f34559b5d04f40d53c3--