Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95946
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25246 invoked from network); 12 Sep 2016 13:49:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Sep 2016 13:49:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.42 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.42 mail-wm0-f42.google.com  
Received: from [74.125.82.42] ([74.125.82.42:37402] helo=mail-wm0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 24/BB-58405-772B6D75 for <internals@lists.php.net>; Mon, 12 Sep 2016 09:49:44 -0400
Received: by mail-wm0-f42.google.com with SMTP id c131so59056113wmh.0
        for <internals@lists.php.net>; Mon, 12 Sep 2016 06:49:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=RtcaSKZx6m2W+2oMYdAlfDP7pGkWJ2qRVFpMapSUjm8=;
        b=EY4w2JsaHJlopdXBdfaxjZBvrYpGPEapcYEJTb09TRKIchhVpF40sn2BkFwManFt4T
         G8YHiSySZy3HQgd3xixgwbPIZMeP/HIh22XxlTFAtGd2jyAWextPE+Wf+bRGl0RywZEV
         BpBmUj+eyOwfbfNE0M7uL5ShATZ7PTtmd6+XfQV+lyNF+koIyyhm/jW/l1Mpa9w2M18R
         DC5bDoXjYamrx9UCrdTJyaXi1uE1jWCUlHUFCglKpA7kRtkV4qqN0Q2gDsNhLH0qq/T5
         54jQFVrv9RWUI4DGvMSh8bi6Htmmuqyr3EtNUQ4H0P1VHAJiw5BVh2u36TTpk4bo/SL2
         2NNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=RtcaSKZx6m2W+2oMYdAlfDP7pGkWJ2qRVFpMapSUjm8=;
        b=DStGP9wcooKKtDC5dbB3XbnIrqLr+jHcEXpbblSegnA82qfgCGk446P9KI/b9VyjEX
         psh7arEHT3ShLnLaKS6kwlgC+s+zH3lwCQe4uKa94NTuXQB87uEEzQeItVK3vvLJQL++
         paZTCxohnBYJyzq2qMqdAVNkd4hPboTQxnzvd9d/km3yoQk2AQL0Mfjl3pbfgxN5iRRg
         2mS3Tr3/zoGOEFNFNc9z2izjdTB712ChCaoCJrYXTgkyf5BpaKlPt0dJo9wkEHkR8Ju7
         3Gjs//zDccdP+VoXI5iDyK6fNtlNtP+N0W4glflo/V7NGff/QKYsU+b3jlLgsqiT0mrX
         eLDg==
X-Gm-Message-State: AE9vXwMOrEDafhnotZHfxL9bURoxUVQZGeuCOUZ69Zh/ZglyhvGRiGEHEAV95wh9JQN0Qg==
X-Received: by 10.28.50.3 with SMTP id y3mr11672152wmy.23.1473688179927;
        Mon, 12 Sep 2016 06:49:39 -0700 (PDT)
Received: from [192.168.0.98] ([93.188.182.58])
        by smtp.gmail.com with ESMTPSA id vh6sm18036378wjb.0.2016.09.12.06.49.37
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 12 Sep 2016 06:49:37 -0700 (PDT)
To: internals@lists.php.net
References: <CAGa2bXYg1kkoYGQNr8T2oTshuqrvweefYO+EdY41w1vwUM32iQ@mail.gmail.com>
 <878tuxenl4.fsf@lil.giraffy.jp>
 <CAGa2bXaTydTSZniX4dUA9h_FcNaymyqfDXQJO0zx1ZDfLmvWdg@mail.gmail.com>
 <87twdlcs2j.fsf@lil.giraffy.jp>
 <CAGa2bXaziNMtNAgsJgX-BCgLL9z2WkoSaP8aNVrAgwo9MJ4WEQ@mail.gmail.com>
Message-ID: <6370f3c9-0904-bac9-0f9e-e563e9af9843@gmail.com>
Date: Mon, 12 Sep 2016 14:47:23 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXaziNMtNAgsJgX-BCgLL9z2WkoSaP8aNVrAgwo9MJ4WEQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Improve uniqid() uniqueness
From: rowan.collins@gmail.com (Rowan Collins)

Hi Yasuo,

uniqid() has never been, and is not claimed to be, guaranteed unique to 
any particular standard.


On 12/09/2016 13:08, Yasuo Ohgaki wrote:
> Since we have to change "more entropy" to TRUE by default

Is your intention that the version without "more entropy" be deprecated, 
and at some point the option removed? Or do you just want to increase 
the visibility of this option by enabling it by default?

In other words, do you consider the function to be broken / useless if 
this option is not set to true? Or do you think users don't understand 
when to use it and when not?


> why not use much better entropy? php_combined_lcg() is legacy entropy generator
> _must not_ be used now. New code's entropy is more than a million
> times better for the same length. 50 bits entropy is far less enough for
> crypt safety, though.

What costs and benefits will users see of changing the entropy 
generator? Does it make uniqid() collisions less likely, and if so what 
kind of probability are we talking about? Does it have a speed or memory 
cost (over the existing more_entropy version, i.e. ignoring sleep)?


Even if we accept a) that the default parameters should be changed, and 
b) that the source for "more entropy" should be changed, I'm not clear 
why the output format also needs to change. Is there some reason the 
output of php_random_bytes() can't be encoded into decimal digits, 
rather than [0-v]?

Regards,
-- 
Rowan Collins
[IMSoP]