Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88782 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27106 invoked from network); 13 Oct 2015 16:56:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Oct 2015 16:56:14 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.67 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 173.203.187.67 smtp67.iad3a.emailsrvr.com Linux 2.6 Received: from [173.203.187.67] ([173.203.187.67:60174] helo=smtp67.iad3a.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/63-05441-DA73D165 for ; Tue, 13 Oct 2015 12:56:13 -0400 Received: from smtp1.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 56B52180400; Tue, 13 Oct 2015 12:56:11 -0400 (EDT) Received: by smtp1.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id A3A0518042A; Tue, 13 Oct 2015 12:56:10 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] (c-73-4-147-142.hsd1.ma.comcast.net [73.4.147.142]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.4.2); Tue, 13 Oct 2015 16:56:11 GMT User-Agent: Microsoft-MacOutlook/14.5.5.150821 Date: Tue, 13 Oct 2015 12:56:08 -0400 To: Anthony Ferrara , PHP Internals Message-ID: Thread-Topic: [PHP-DEV] Port random_bytes to PHP 5 References: <561C7212.6080400@garfieldtech.com> <561D1266.60101@thefsb.org> In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Subject: Re: [PHP-DEV] Port random_bytes to PHP 5 From: fsb@thefsb.org (Tom Worster) On 10/13/15, 10:59 AM, "Anthony Ferrara" wrote: > >Overall, I don't think this should be ported back to 5.x > >First off, it's pretty late in both 5.5 and 5.6 lifetimes (5.6 is >already up to .14). > >Introducing a feature this late would basically make it useless to the >vast majority of users of those versions (since many don't upgrade, or >use distro-pinned versions). I don't like it, but that's the truth. > >random_compat serves this need quite nicely, but as always there are >non-trivial tradeoffs at play. > >As far as making mcrypt_create_iv more standard, why? To reduce the motive to use OpenSSL (reduce objections to avoiding it) in general and in random_compat in particular. > That's what >random_bytes() was meant to do (and does). Just encourage people to >move forward with it and upgrade to 7... That's actually the stance I prefer. But I wanted to explore these options among those who know more about updating PHP itself than me. I guess you're right that adding this at the end of 5.5 and 5.6 won't accomplish much. The stance I prefer is that random_compat itself can educate users. Imagine the user that tries it out and sees the exception 'There is no suitable CSPRNG installed on your system'. That's a teachable moment. If this user object's "But I've got OpenSSL" then random_compat's docs can explain why it's not considered safe and what the user can do. Tom