Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94128 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47636 invoked from network); 19 Jun 2016 16:59:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2016 16:59:17 -0000 Authentication-Results: pb1.pair.com header.from=php@fleshgrinder.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=php@fleshgrinder.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fleshgrinder.com from 212.232.28.122 cause and error) X-PHP-List-Original-Sender: php@fleshgrinder.com X-Host-Fingerprint: 212.232.28.122 mx201.easyname.com Received: from [212.232.28.122] ([212.232.28.122:56999] helo=mx203.easyname.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/8F-18862-46FC6675 for ; Sun, 19 Jun 2016 12:59:17 -0400 Received: from cable-81-173-134-219.netcologne.de ([81.173.134.219] helo=[192.168.178.20]) by mx.easyname.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1bEg3z-0002Aa-QO; Sun, 19 Jun 2016 16:59:12 +0000 Reply-To: internals@lists.php.net References: <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> <49fb7830-b186-523a-696c-39e251738bdb@fleshgrinder.com> To: Pierre Joye , PHP internals Cc: Christoph Becker , Niklas Keller , Tom Worster Message-ID: Date: Sun, 19 Jun 2016 18:59:05 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="t2aitFeotGRFImBQVjU1suSU1u81pL2Lv" X-ACL-Warn: X-DNSBL-BARRACUDACENTRAL Subject: Re: [PHP-DEV] [RFC] RNG fixes From: php@fleshgrinder.com (Fleshgrinder) --t2aitFeotGRFImBQVjU1suSU1u81pL2Lv Content-Type: multipart/mixed; boundary="5ccBNbgcw3B2aFdCgvmngDHx5WxWGWnFg" From: Fleshgrinder Reply-To: internals@lists.php.net To: Pierre Joye , PHP internals Cc: Christoph Becker , Niklas Keller , Tom Worster Message-ID: Subject: Re: [PHP-DEV] [RFC] RNG fixes References: <1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com> <25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com> <55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com> <6d6c121e-bdd4-c6d8-b376-71ba25455a30@fleshgrinder.com> <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> <49fb7830-b186-523a-696c-39e251738bdb@fleshgrinder.com> In-Reply-To: --5ccBNbgcw3B2aFdCgvmngDHx5WxWGWnFg Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 6/19/2016 6:27 PM, Pierre Joye wrote: > I think I gave you plenty of valid usage of MT rand or rand in some > extends. >=20 > And the argument about them being dangerous for crypto is the same for = any > other functions. And right, this argument is invalid. >=20 > We do not remove cars from the street because there cars accident. But = we > educate and prevent them. In this case it is about educations (doc, blo= g > posts and all the palette of developers evangelism or whatever "spreadi= ng a > msg" is called these days). >=20 > I would appreciate that you understand our arguments. You can disagree = but > cannot deny them. >=20 I just went back and had a look at all messages of this thread, the only argument is:* On 6/14/2016 8:14 PM, Christoph Becker wrote: > In my opinion, we need at least one random function which yields > reproducible values. > I understand that and I am totally in favor of adding a function that yields reproducible sequences. However, that function should be of good quality (fast, properly documented, modern algo, ...). This matches Tom Worster's analysis of mt: it's just crap. :P I am sorry if it seems to you as if I am ignoring you, Quite the opposite is the case. It is just unbelievable to me that we are trying to keep these functions if there are so many better alternatives that we can provide to our users. There is nothing bad about a deprecation together with a much better alternative. I cannot imagine that anyone has a problem with that. * Let me know if I missed any other argument that clearly explains why mt_rand() cannot be deprecated and removed. Oh, yes, I am ignoring the legitimate usage from a private software that is unsharable because this argument cannot be verified. It is also not clear why that software should not be able to upgrade to a faster function. --=20 Richard "Fleshgrinder" Fussenegger --5ccBNbgcw3B2aFdCgvmngDHx5WxWGWnFg-- --t2aitFeotGRFImBQVjU1suSU1u81pL2Lv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXZs9dAAoJEOKkKcqFPVVraUYQAJcEnmCjnjq7BMgMeoikEzVK JLNB5FoCO++zf158qSpKFmMu/WJqf5yQ8UlXOTuupzPtSB9f7zlJh18kxaOanYLI pD+8VUus4ZX3yQsxuX9cHasdBwMXe63zRpN44WblwrgpSo/pE3jEu7QRxAlvK7Nd RBoWfVYCkA24TqtEz8PeOWSyr4GYaBPIL7RS6FHNkt6htZhEcCyRaChsAT4Ndg2x a+6dYlwPTylnNsNSODTkHJ30txVeBk/otEeyWjvGJtF0kLj+twI/E88LNx4yJ9Au NxqdswPw7u6JduN+tkfAMx30BAFGpQ5zTTVrVeMdvGqyJGf4zVr/ERxDaM076WbR tswKYNbt5D0eCbseUsKcwt/y25HmRWJkPA1rpsKksw2KqXWbLdwrea4MU86W64lr 5nXJYWV41hQwLd1EE0yn73YgGNxe5+gkQQHGghn4g+xDrx5V8Wz7mEuXE8Da6fcz XP2rCuAv1WgeuAHRngb8wk3lKviHqfnNTDUVI59dED0kUA9zLM7kZKH02HVrmkil soz0MXRAlpfpDAfkJcMI9QKmhiLwKmM8rXPO954t8reFP0CWvs3Ylo7HSVzWRqdw qvod++spdYdzYEsm48Ic/OES36IvZVf65/dudjxcLDbWzOmlu87u7X9n4Ya3fg/2 Qb3ajWdhr/qMIMvTG3Yy =dUw3 -----END PGP SIGNATURE----- --t2aitFeotGRFImBQVjU1suSU1u81pL2Lv--