Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94025
Return-Path: <php@fleshgrinder.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79784 invoked from network); 15 Jun 2016 19:43:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Jun 2016 19:43:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=php@fleshgrinder.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=php@fleshgrinder.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain fleshgrinder.com from 77.244.243.87 cause and error)
X-PHP-List-Original-Sender: php@fleshgrinder.com
X-Host-Fingerprint: 77.244.243.87 mx106.easyname.com  
Received: from [77.244.243.87] ([77.244.243.87:52957] helo=mx201.easyname.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 09/C0-10183-ADFA1675 for <internals@lists.php.net>; Wed, 15 Jun 2016 15:43:23 -0400
Received: from cable-81-173-133-15.netcologne.de ([81.173.133.15] helo=[192.168.178.20])
	by mx.easyname.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.84_2)
	(envelope-from <php@fleshgrinder.com>)
	id 1bDGiQ-0004Yt-U3; Wed, 15 Jun 2016 19:43:07 +0000
Reply-To: internals@lists.php.net
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
 <e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
 <dd126a62-a617-8f34-b3c6-8e7cd0df4674@gmx.de>
 <CAPwsocE6FKcKnz2Q2PJiKPbi8prxnUoSvq3UAn-UtWoX19pz=g@mail.gmail.com>
 <e4e02f09-4a29-2f25-f169-9664ae86e161@gmx.de>
 <1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com>
 <cdda2f52-3556-5836-9de6-4c82a98c57eb@thefsb.org>
 <25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com>
 <CANUQDChrXZ-6bqDkmRo2SA84fBCq+nrzJyg4vqRvY8_WN+yg2Q@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>, internals@lists.php.net
Message-ID: <55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com>
Date: Wed, 15 Jun 2016 21:43:05 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <CANUQDChrXZ-6bqDkmRo2SA84fBCq+nrzJyg4vqRvY8_WN+yg2Q@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="ud3xak7J5qUvwPp4Cw1BFuwnwhf13IlnR"
X-ACL-Warn: X-DNSBL-BARRACUDACENTRAL
Subject: Re: [PHP-DEV] [RFC] RNG fixes
From: php@fleshgrinder.com (Fleshgrinder)

--ud3xak7J5qUvwPp4Cw1BFuwnwhf13IlnR
Content-Type: multipart/mixed; boundary="0QffjqRm2Fp44FQK0ODjXO7MHUXd5BQQv"
From: Fleshgrinder <php@fleshgrinder.com>
Reply-To: internals@lists.php.net
To: Niklas Keller <me@kelunik.com>, internals@lists.php.net
Message-ID: <55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com>
Subject: Re: [PHP-DEV] [RFC] RNG fixes
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
 <e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
 <dd126a62-a617-8f34-b3c6-8e7cd0df4674@gmx.de>
 <CAPwsocE6FKcKnz2Q2PJiKPbi8prxnUoSvq3UAn-UtWoX19pz=g@mail.gmail.com>
 <e4e02f09-4a29-2f25-f169-9664ae86e161@gmx.de>
 <1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com>
 <cdda2f52-3556-5836-9de6-4c82a98c57eb@thefsb.org>
 <25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com>
 <CANUQDChrXZ-6bqDkmRo2SA84fBCq+nrzJyg4vqRvY8_WN+yg2Q@mail.gmail.com>
In-Reply-To: <CANUQDChrXZ-6bqDkmRo2SA84fBCq+nrzJyg4vqRvY8_WN+yg2Q@mail.gmail.com>

--0QffjqRm2Fp44FQK0ODjXO7MHUXd5BQQv
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 6/15/2016 9:31 PM, Niklas Keller wrote:
> Quoting from PHP.net:
>=20
> PHP is a popular general-purpose scripting language that is especially
> suited to web development.
>=20

Quoting from Wikipedia:

> PHP is a server-side scripting language designed for web development >
but also used as a general-purpose programming language.

But let use stop that now. I already wrote that someone should come up
with use cases for predictable random numbers other than creating
insecure secrets. This is the main problem that needs solving, people
using this stuff without knowing what they do.

Keep in mind that anyone or anything (company) that requires predictable
random numbers for their software (e.g. game) wants to have more control
over distribution and ways to tweak it. Hence, they will directly
implement it straight on their own anyways. Business rules are more
important in such domains than readily available built-in stuff.
Otherwise many people would not have jobs. :P

If they really don't want to they can still fall back to PECL. I really
do not see the shared hosting as a big argument here because shared
hosting directly falls back to web application and -- as I said before
-- in this context the requirement for predictable random numbers is
pretty much nil.

Just proof me wrong and show me where it is needed.

Drupal? Symfony? Zend? Wordpress? PhpBB? ...?

--=20
Richard "Fleshgrinder" Fussenegger


--0QffjqRm2Fp44FQK0ODjXO7MHUXd5BQQv--

--ud3xak7J5qUvwPp4Cw1BFuwnwhf13IlnR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXYa/OAAoJEOKkKcqFPVVr4EAP/A8YjRQdPXacm6DRlcnQ4glx
ewW0EIfyQjjgUtBHLZCSi2wpkNTkL8C5Gt9aJxxWkK6r96nVv9rPTx9Zs5HesPPE
aeVWm2IJuQTt/0sNHgTOjn1YQEuvzdCR8u9Y48QvZ8Iv9nHcjNA84991A2x/qUNj
A2aCechtYBRzjN78GD2SIFHjE6KIRrnK21K1CpWdZH0FAPq2RdggGTPeGdj/ivfm
dX5YKFw4DZ/ORoidcDfOfbejqPKs90skiHfpgNGu139I6dOsBqdX5R5iAfFg4671
GP0WgFrmDq8zHHLrMAtk9vsz/veGEEa6WXu6iMu5haGgI/KzeZeu/ONnKiBbggSo
l70dzq653AsWEiFM5Bl80t+/13RaNQjRpchECArmEOpje6RDEDgYHjF4QcCEqzrL
6J1xDvnwmch8WM8LtrEgJaYw/znUGvnz2hH6O5V2RNxoi41Q1tUH+tXrYD6HG/TZ
4I6rL5WeYdC8fyvzgB3UY1EuJGiXI7aVzoAQ/3SP1n/JRiENGYG071Z0sTVeBbax
5/Ffs3pNLOekmkr+1s+vqp6H85UWF5zR3OfUmV/NqlRHhBxGVQrigs5DPRQfq753
4OlA4Ph2Uu5+VU9TCueAzUD3KMPpFwR4g+uUdwBmPXXx3BPswCcXOPzwGSKQQ+/v
yglft/hKa+MLJmlJJpJq
=I8n5
-----END PGP SIGNATURE-----

--ud3xak7J5qUvwPp4Cw1BFuwnwhf13IlnR--