Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:84897 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13043 invoked from network); 15 Mar 2015 20:13:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Mar 2015 20:13:21 -0000 Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.181 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.220.181 mail-vc0-f181.google.com Received: from [209.85.220.181] ([209.85.220.181:43779] helo=mail-vc0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 16/63-31306-FD7E5055 for ; Sun, 15 Mar 2015 15:13:20 -0500 Received: by mail-vc0-f181.google.com with SMTP id hq12so10865586vcb.12 for ; Sun, 15 Mar 2015 13:13:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=m1sa1XqkujCnIoRlKwMcWgHLsjogHY8PWdQtxJUJmMk=; b=Yxwqm2JCMcQ/MjXfdzHQGqMLIJBJp4TqM2v+HGc9MFN5wBbEsMj28C5k/lyf4wXZ6Z 6AG10lfHjurw4zKET0NuXXpnxujVlv+hbFM5fxQWPqAAjc/rNLtildJUHmh54zz5HQ+R q9gV41mzhFW3lLD+VH3Z0gPgpRfqSAjMKb+krQ76grKpihGWqAGz1PaiOa9ygmDM2Feb AT/9iYOPuWQUQhPDMzBdJqSB/Kt8dx2TEyCmO1I27cp4lgGcSDCPq8MiVE4rZ5dp5Jj8 JIwys4upRoIc4j0JJNVfE1gfm+nix7EyTVTlDfZndUBZSzuj+0KAjlfVPNN8SPmhZ2iB jGtg== MIME-Version: 1.0 X-Received: by 10.52.52.136 with SMTP id t8mr60100228vdo.49.1426450397158; Sun, 15 Mar 2015 13:13:17 -0700 (PDT) Received: by 10.52.177.7 with HTTP; Sun, 15 Mar 2015 13:13:17 -0700 (PDT) In-Reply-To: References: <55055F1D.2020200@beccati.com> Date: Sun, 15 Mar 2015 20:13:17 +0000 Message-ID: To: =?UTF-8?Q?P=C3=A1draic_Brady?= Cc: Matteo Beccati , Sammy Kaye Powers , PHP Internals Content-Type: multipart/alternative; boundary=089e0115f0483663540511595dd1 Subject: Re: [PHP-DEV] [RFC] [VOTE] Vote open for reliable user-land CSPRNG From: leight@gmail.com (Leigh) --089e0115f0483663540511595dd1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 15 March 2015 at 13:17, P=C3=A1draic Brady wro= te: > > Were folk to use random_int() by default, it would be actually be > considerably better than the situation today where many reach for > mt_rand() without really considering the use case. Using a strong > source of ints instead of a weak source still ends up with you getting > the requested ints. There's no downside unless the source is blocking. > We've deliberately avoided blocking sources for this implementation. > Using the weak source over a strong source will also get you ints, but > without knowing the use, it has the immediate downside risk of being > from a weak source which shouldn't be used for anything requiring > strong randomness. > > So random_int() really is the best first default option to go for when > in doubt, with some careful consideration before switching to > mt_rand(). > > As for exhausting the entropy pool, this is something of a > misconception. The sources in the RFC are pseudorandom generators > which won't exhaust the entropy pool by design. > I should have read your mail before replying, but at least we've said the same thing :) --089e0115f0483663540511595dd1--