Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95942 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 15948 invoked from network); 12 Sep 2016 12:09:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Sep 2016 12:09:21 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:37093] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2A/E9-58405-DEA96D75 for ; Mon, 12 Sep 2016 08:09:20 -0400 Received: (qmail 45837 invoked by uid 89); 12 Sep 2016 12:09:13 -0000 Received: from unknown (HELO mail-qk0-f178.google.com) (yohgaki@ohgaki.net@209.85.220.178) by 0 with ESMTPA; 12 Sep 2016 12:09:13 -0000 Received: by mail-qk0-f178.google.com with SMTP id z190so128447684qkc.3 for ; Mon, 12 Sep 2016 05:09:13 -0700 (PDT) X-Gm-Message-State: AE9vXwPI2nHyIwYVqgk1TEuCw1A8iipUCDP1w+rwbJGhhsIp4wSmRk2pP63BPOme1QO3ek12n2sUNH7IUSEbPA== X-Received: by 10.55.159.77 with SMTP id i74mr18811667qke.60.1473682146778; Mon, 12 Sep 2016 05:09:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Mon, 12 Sep 2016 05:08:26 -0700 (PDT) In-Reply-To: <87twdlcs2j.fsf@lil.giraffy.jp> References: <878tuxenl4.fsf@lil.giraffy.jp> <87twdlcs2j.fsf@lil.giraffy.jp> Date: Mon, 12 Sep 2016 21:08:26 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Kazuo Oishi Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Improve uniqid() uniqueness From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Kazuo, On Mon, Sep 12, 2016 at 7:48 PM, Kazuo Oishi wrote: >> I know some code breaks, but it's not many. It's not fatal BC also. >> >> IMHO, uniqid() should try to generate uniqid() possible. uniqid() does produce >> non unique ID because it is system time based. This change mitigates impact of >> misuse also which is common in both open and close codes. >> >> Which is important? >> - Fix known issues and generate unique ID (as much as possible) >> - Let it generate non unique ID and ignore for some code may complain. > > IMO, improving it (generate better semi-unique ID) is not important > enoungh to introduce unnecessary BC break. (Why returning string length > is changed?) It cannot not produce unique ID as name "uniqid()" implies by default. Reason is described in the RFC. Please read RFC because it's the official proposal. Since we have to change "more entropy" to TRUE by default, why not use much better entropy? php_combined_lcg() is legacy entropy generator _must not_ be used now. New code's entropy is more than a million times better for the same length. 50 bits entropy is far less enough for crypt safety, though. > If good unique ID generator is needed in core, please create new > function with another name like "unique_id". Already is, session_create_id() could be used. Or UUID if 3rd party module can be used. Although I would not like to leave legacy functions as much as possible, this could be a vote option. Any more request for new function, anyone? I don't like the name because "unique_id()" implies "absolute unique ID", but we can only provide "very close to unique ID". I'm not sure if it's good to have "uniqid()" and "unique_id()" that have the same note: "This function does not guarantee 100% uniqueness". If we are going to have unique_id(), I would like to keep timestamp value, since this improves uniqueness and handy for non crypt usage. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net