Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94053
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71685 invoked from network); 16 Jun 2016 18:14:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jun 2016 18:14:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.53 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.218.53 mail-oi0-f53.google.com  
Received: from [209.85.218.53] ([209.85.218.53:35977] helo=mail-oi0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 01/76-25388-B6CE2675 for <internals@lists.php.net>; Thu, 16 Jun 2016 14:14:03 -0400
Received: by mail-oi0-f53.google.com with SMTP id p204so82197512oih.3
        for <internals@lists.php.net>; Thu, 16 Jun 2016 11:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=53VyNBiC10ZUQOihPndHIJ78BccJtp84UYtaCpN7P8g=;
        b=KuJMJsWfj5ySCloaqRfCoZmrlhnLhUDB66kC0Xrj73K5b/eO7nImX92vDo29cSwFh3
         reDrQas4g5/kqWWE1CXPkS2BHx8FmG1d0BgeHzbRxeqZnoMg2xdTekSHRkMDUVgKZTcr
         gV3hs5MmFHPZ6mod3MDblFct4ktVKRJSc0BRPBZzDYrT+3xgJbVg4DSMj1a3mtonMbN8
         Ae+ADEsP7+Q+fYvWEW0A9IK9HaZRuxKy3N7epG+P3kdF3FkQfOgn8x+MtekHxVQdjuZn
         aTTA7rOXsyNbpE6amY/Awr9yjdknkhssT3CTLbw0sEirk6xQDCUF2T2I/POBT3rmeuwL
         XU2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=53VyNBiC10ZUQOihPndHIJ78BccJtp84UYtaCpN7P8g=;
        b=ExpCZjSujRFUrsBgQ4a1eyaX23SXx99aO4J+IsB/JEzwbZ4TmQQ9LJW4YcQiTammBr
         jlLaPxFU4GLnTyBiexsIYTBCDmO2j+azn5FKhzLVyXGrQmKLST7Jd4A7r0b8QlC6r2n3
         ZMHc7km3k6ERDJeImw0bnmiNd3PkZc62xME3lJUfpyxavuCEBqoAC1fUcDf7oFFxhDQP
         uje4+XJzRNOAE0AIXLytjBmMrthkf72r8VAlHL0BISeeB6ugjYRRHRowG4V5/pzT7ijz
         jBNRHOenkd2i0d9klH6YvvFg/vkKD61pFZXjaqXK962o87JWQpO75kylEG/ky7w1yutL
         nqhg==
X-Gm-Message-State: ALyK8tKttHtYT8mEevv8b9tykYnfhgdIf3Ite6kBFt4uw3Yjy+d0guCeIpSDoKpBJ1UrtsyWoT5Zm65XIBpubA==
MIME-Version: 1.0
X-Received: by 10.157.27.156 with SMTP id z28mr799184otd.0.1466100840859; Thu,
 16 Jun 2016 11:14:00 -0700 (PDT)
Received: by 10.202.108.197 with HTTP; Thu, 16 Jun 2016 11:14:00 -0700 (PDT)
Received: by 10.202.108.197 with HTTP; Thu, 16 Jun 2016 11:14:00 -0700 (PDT)
In-Reply-To: <CAEZPtU5+UyPKgbVrs6892Gz3DXfL6XP5WFoH30gxAo-6vpBsFA@mail.gmail.com>
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
	<e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
	<dd126a62-a617-8f34-b3c6-8e7cd0df4674@gmx.de>
	<CAPwsocE6FKcKnz2Q2PJiKPbi8prxnUoSvq3UAn-UtWoX19pz=g@mail.gmail.com>
	<e4e02f09-4a29-2f25-f169-9664ae86e161@gmx.de>
	<1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com>
	<cdda2f52-3556-5836-9de6-4c82a98c57eb@thefsb.org>
	<25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com>
	<CANUQDChrXZ-6bqDkmRo2SA84fBCq+nrzJyg4vqRvY8_WN+yg2Q@mail.gmail.com>
	<55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com>
	<CAEZPtU6cjoDHXeZXghHPpAVPwBwr0JTV9OzQZsmmtR9Kvw7-0A@mail.gmail.com>
	<6d6c121e-bdd4-c6d8-b376-71ba25455a30@fleshgrinder.com>
	<CAEZPtU5O8Svv=-UTTMjdEZRfMdDP8M=5mW9F9UYxmf1cr7RL-g@mail.gmail.com>
	<CAEZPtU4=o-Do36zGO+roF91S7awyY1dPPyqT-1y_BU6wGQjrSw@mail.gmail.com>
	<CAEZPtU4QPW1jd5OfFU_c_rhtX1SeiDJyYfaABD-6_UgaJkT16g@mail.gmail.com>
	<CAEZPtU5+UyPKgbVrs6892Gz3DXfL6XP5WFoH30gxAo-6vpBsFA@mail.gmail.com>
Date: Fri, 17 Jun 2016 01:14:00 +0700
Message-ID: <CAEZPtU5GYG9h7r71UvYbHkQFD7maeGhK5NmJKkgd9vaqm=39wA@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Cc: Niklas Keller <me@kelunik.com>
Content-Type: multipart/alternative; boundary=001a11371390d30e100535693354
Subject: Re: [PHP-DEV] [RFC] RNG fixes
From: pierre.php@gmail.com (Pierre Joye)

--001a11371390d30e100535693354
Content-Type: text/plain; charset=UTF-8

On Jun 17, 2016 12:43 AM, "Fleshgrinder" <php@fleshgrinder.com> wrote:
>
> On 6/16/2016 4:21 AM, Pierre Joye wrote:
> > No they don't all do it.
> >
>
> We don't know but I will try to find legitimate usages of (mt_)rand.

Well know you do as I gave you examples of such usages. Their Code not
public so I cannot give you links.

I am not sure to follow the legitimate part. There are perfectly legitimate
usage of rand/mt_rand outside crypto. The fact that some developers still
do not get the non safe part is an education problem. The same applies to
many functions, like serialize, which has many security impacts but we do
not remove it because some people misuse it constantly.

> On 6/16/2016 4:21 AM, Pierre Joye wrote:
> > There are ways to achieve what you want in a nice way while not breaking
> > things. Let consider them.
> >
>
> Moving to PECL does not break anything.

It does as these functions are available by default and cannot be disabled
(ext/standard).

--001a11371390d30e100535693354--