Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96435
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29601 invoked from network); 18 Oct 2016 13:00:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Oct 2016 13:00:24 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.217 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.217 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.217] ([81.169.146.217:23194] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B6/4F-40890-7EC16085 for <internals@lists.php.net>; Tue, 18 Oct 2016 09:00:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1476795619; l=7214;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=xqvTn6ENLm9s+T6L9iu6gy5fHE+nqB6QuPn8F4KCQi0=;
	b=jYjeW+0744z0uzX83OoCtRidEBHUHzMIeHLOuPuFOK4CZeLAAM2HJbKYF5Gg/sLOQVm
	n7IL6bsSL4a8ENyAd7u6bV/Iy7U66N0rqiS9K9R61EO1RSF2VZCNoh5fkSfWwN3YVn7IK
	sd4JVW/32HvzuB6mkkqxrcz9IIj9T+EFn0E=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoBPBqD/sz4=
X-RZG-CLASS-ID: mo00
Received: from mail-qk0-f173.google.com ([209.85.220.173])
	by smtp.strato.de (RZmta 39.6 AUTH)
	with ESMTPSA id a076das9ID0JBMS
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Tue, 18 Oct 2016 15:00:19 +0200 (CEST)
Received: by mail-qk0-f173.google.com with SMTP id f128so278371960qkb.1
        for <internals@lists.php.net>; Tue, 18 Oct 2016 06:00:19 -0700 (PDT)
X-Gm-Message-State: AA6/9RkwQktwllu4wy/kVV712T55AiG44YazSbXIbrIX3ThIOsTJjH3Yab6jEdimapISoClbRli0QAHEPr38tw==
X-Received: by 10.194.60.106 with SMTP id g10mr154667wjr.151.1476795616079;
 Tue, 18 Oct 2016 06:00:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.177.153 with HTTP; Tue, 18 Oct 2016 06:00:15 -0700 (PDT)
In-Reply-To: <CAGa2bXahTwiiug0J+5YnYtBySPfNuq5jf8_dcXu8ZUjj=FG8mw@mail.gmail.com>
References: <CAGa2bXYg1kkoYGQNr8T2oTshuqrvweefYO+EdY41w1vwUM32iQ@mail.gmail.com>
 <CAGa2bXZLB6SsC3FQyntaDy93YfG5rDigJH6GpC5dF7MZJuJ=LQ@mail.gmail.com>
 <CAGa2bXaM_rSbmSx_bPE4erG6ok1KLdXSqnJP5ngxUNBsrzu0pw@mail.gmail.com>
 <CAPwsocHhsm9Zrh=rpF=Pbct6t5wKfAa-wirGfGjmxV8pi4nttw@mail.gmail.com>
 <CAGa2bXaMMaZn1GyrnT6Bgz3xCMDkFs+YNwHoNZe_1ge5LjLPDg@mail.gmail.com>
 <CAPwsocHXhpQNCYXVN0DHj77M0cA3eAgKuStOPquNUjx=46W1Mw@mail.gmail.com>
 <CAGa2bXaEyd+Qcc7EAQwTEVJY-zD_cK37AYXfM_534YesBG0xOA@mail.gmail.com>
 <CAPwsocHqbeYw=2S6EZG+5zUEWMSM5V2OoG9uLO05sbQffJ1GPw@mail.gmail.com>
 <CAGa2bXZGWFW1gXx4uuAehw0MGADWPMXVuD7wsSJuAQ6f6HJv6A@mail.gmail.com>
 <CAGa2bXZ1wGO_x4z5agJ0+uWX4xfuOYX1or4KziwbMa9v_+-JxA@mail.gmail.com>
 <CANUQDCh9RSnOs__c4crYsH44z0L-mHkTTCgAn-d1bSgH09yL0w@mail.gmail.com>
 <CAGa2bXbDR4EnSU0UUMQR4OGaEAJGPkf7s9M+56CyCPvJ=XSbUQ@mail.gmail.com>
 <CANUQDChPsJHZ73=ke_yo+Pbu2B8rRcFrUYZWJiD5TrwECY4hEA@mail.gmail.com>
 <CAGa2bXZ98ZKER2hRp=2pvTYGVLGXFzkdefFfoERojgQvarHUBw@mail.gmail.com>
 <CAL=_i_kCOqvf-8WVOogNDFvkGiTdD8pdT1PC8oVpsYd5BHg=2g@mail.gmail.com>
 <CAGa2bXZWj21vNVaoWHwUYxp_Zw0_eR4sSwReUC4qBn_6oqEJmg@mail.gmail.com>
 <CAGa2bXbcWQm_AXeSxB-BSRjwYD1de8NKvD+6-J+6q5Ru3HmRVg@mail.gmail.com>
 <CANUQDCh=yK38sbjYHQQJD_uLrMfjmHa9nWz+tEjS4RjiDN1W=Q@mail.gmail.com>
 <CAGa2bXbmZTsTFFE-rh5=Uh=Gq_FHhdCM9eFb0XrVySQGs=2R=A@mail.gmail.com>
 <CANUQDCh5RZ16jT5X-Y_Hv5YHcqUy9k=rO3PyCiGcZyhQeTLhbg@mail.gmail.com> <CAGa2bXahTwiiug0J+5YnYtBySPfNuq5jf8_dcXu8ZUjj=FG8mw@mail.gmail.com>
Date: Tue, 18 Oct 2016 15:00:15 +0200
X-Gmail-Original-Message-ID: <CANUQDCj40ytyDe8M74wo1BjQq8kKRfyGqG+csQjwH4MhADvDqg@mail.gmail.com>
Message-ID: <CANUQDCj40ytyDe8M74wo1BjQq8kKRfyGqG+csQjwH4MhADvDqg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Joe Watkins <pthreads@pthreads.org>, Leigh <leight@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b86ead41a3bb1053f23464e
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Improve uniqid() uniqueness
From: me@kelunik.com (Niklas Keller)

--047d7b86ead41a3bb1053f23464e
Content-Type: text/plain; charset=UTF-8

2016-10-18 14:41 GMT+02:00 Yasuo Ohgaki <yohgaki@ohgaki.net>:

> Hi Niklas,
>
> On Tue, Oct 18, 2016 at 9:33 PM, Niklas Keller <me@kelunik.com> wrote:
> > 2016-10-18 14:12 GMT+02:00 Yasuo Ohgaki <yohgaki@ohgaki.net>:
> >>
> >> Hi Niklas,
> >>
> >> On Tue, Oct 18, 2016 at 9:08 PM, Niklas Keller <me@kelunik.com> wrote:
> >> >>
> >> >> As you can see from last minutes discussion.
> >> >>
> >> >> "/dev/urandom cannot be read" is FUD.
> >> >> It's pure bug fix. (I intentionally made patch easy to extend used
> >> >> chars, though)
> >> >>
> >> >> Would you consider revert the revert?
> >> >
> >> >
> >> > This discussion shows there should be a RFC and a vote. I'd not
> consider
> >> > this a simple bug fix, after all it doesn't really fix it.
> >> >
> >> > If we want to fix it in core, we'd better include an UUID generation
> >> > mechanism than fixing uniq_id.
> >>
> >> UUID like uniqueness is not the subject of uniqid(), isn't it?
> >
> >
> > UUID = Universally Unique Identifier
> > uniqid = Generate a unique ID
> >
> > Where is uniqueness _not_ the subject of uniqid()?
> >
> >>
> >> As I wrote, it's simple bug fix.
> >
> >
> > The issue is that it doesn't fix it. Maybe it band aids. But it doesn't
> fix
> > uniqid.
> >
> > It's exactly why I proposed to better deprecate uniqid. We can do that in
> > 7.2 and provide UUIDs as a standardized and superior alternative.
>
> OK, I understand you prefer to deprecate uniqid(), but I guess
> uniqid() deprecation is less likely to be passed than improving
> uniqid() uniqueness with a little BC.
>
> If you search uniqid() usage, you'll see UUID is too much for many
> usages. uniqid() has it own use cases.
>
> Current uniqid() is not unique at all.


Right, and it's impossible to fix it without breaking BC, because really
fixing it would require more output.


> The patch simply fixes it by
> using proper entropy, no BC basically.
>

It might be fine committing this to master. But as you say, uniqid is
broken and I'd not consider it fixed with just changing the source of
entropy but leaving the output as is.


> What's wrong with this?
>

Committing it directly to a frozen branch is.

Regards, Niklas

---------------
> The patch committed is pure bug fix.
>
> uniqid() is simply _broken_ because it does not provide expected
> uniqueness due
> to timestamp based php_combined_lcg(). (I added large warning to the manual
> recently, though)
>
> unique id (time stamp) + entropy (timestamp based entropy)
>
> Who argue result is reasonably unique?
> Who don't use NTP to adjust system time?
> ---------------
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

--047d7b86ead41a3bb1053f23464e--