Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96456 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86531 invoked from network); 19 Oct 2016 00:52:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Oct 2016 00:52:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.172 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.217.172 mail-ua0-f172.google.com Received: from [209.85.217.172] ([209.85.217.172:34415] helo=mail-ua0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FA/61-12428-8B3C6085 for ; Tue, 18 Oct 2016 20:52:08 -0400 Received: by mail-ua0-f172.google.com with SMTP id m26so1115458uaa.1 for ; Tue, 18 Oct 2016 17:52:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PQlUGmfYqbGHFbJq7d4vc97jmGTONnhaAPgGAwRaLQo=; b=S5FdRooYVgR51dk6CbvNHcqbiYovy19AezUmzq5XRKYbboqnt3hKAdk/nm7+nA6LFi pOPlmXMUO9JzGxBF6uQTEY9nHGcTXgCnUqZd5IvOf7oQlHhVzenxAeJ2Sd+gHQwIBZnp XwXJjxhhKe/qQVwZqagrZZd2cyQlxAEikYcBmKAnaYqcXs0O9bn+UPUc6lWrkmfZFQbW YjugyBOHv4Mkk0anBicc0WyXXcydrgMEoom/QQnd5gINFP0OqguueFrzDatTTMJaR8of M7zhX+V8BF9Dse19VkDAagMcsEZ+cWhy8a6IjetcVanF+IOhTR3wbk62ZtcTEJc4Pn0f oLTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PQlUGmfYqbGHFbJq7d4vc97jmGTONnhaAPgGAwRaLQo=; b=AQwqYsOY7hSeDU61jTUpJJgyGwqOzdrF3l+rdLLRn9ROQzBn7LNjc9hUGHpYxX4D9q w6cmD+ZPzJdlJ+KfDTsEdxPmudSGIdFKXUB6/W9etle4S1vPD6ZA6egTSXhejvev4uQR MQrPciZCrMbTBE9fTiFLDQhEBIlC9qYTm+mU9vY2Wm/Cdrub6ewY1cHi0Qg78XfyZz6b S5NrGzsz5TcS4idEGDQsWf+2BOjO/AFnJy61DSbZDDraNuVy3mbAyr97q28+/ZpsC66V QXOrzG46A2TbShJXhhAKfjfbzbcX+etrryPlJ2rpV4GY5h11Qi6YNyA1odZ3GjfOO1u7 ISGA== X-Gm-Message-State: AA6/9RkKTloEQ9BDid/9pqTGoIpyu4HPjayV+RFatSjecBDmTUh2LlsjL2/wfsjuvWlttE6WbiNEu8yzqE+z+Q== X-Received: by 10.176.81.178 with SMTP id g47mr398124uaa.61.1476838324856; Tue, 18 Oct 2016 17:52:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.36.109 with HTTP; Tue, 18 Oct 2016 17:52:04 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Oct 2016 07:52:04 +0700 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Bug fix and RFC/Merge rule From: pierre.php@gmail.com (Pierre Joye) hi Yasuo, On Wed, Oct 19, 2016 at 4:41 AM, Yasuo Ohgaki wrote: > Hi all, > > Following commit is reverted because someone requested "RFC" and/or > demand "Merge approval from RM", Yes, this is the rule for non obvious things. Or no matter what for stable branches in security mode or RC phase. > http://git.php.net/?p=php-src.git;a=commitdiff;h=48f1a17886d874dc90867c669481804de90509e8 > > I don't understand the reasoning why it requires RFC nor Merge > approval. As we all know, there are many bug fixes without RFC nor > discussion. > > So let's discuss about what bug fix requires RFC and merge approval. > > The patch fixes "uniqid() is not unique enough" bug. > --------------- > ==Rationale== > uniqid() is simply _broken_ because it does not provide expected uniqueness due > to timestamp based php_combined_lcg(). > (large warning is added to the manual recently) > > unique id (time stamp) + entropy (timestamp based entropy) > > Problems of this implementation > - NTP is used to adjust system time. > - Result is not reasonably unique by logic. > > ==Resolution== > Replace php_combined_lcg() (Poor PRNG) to php_random_bytes() (CSPRNG). > > Patch > http://git.php.net/?p=php-src.git;a=commitdiff;h=48f1a17886d874dc90867c669481804de90509e8 > (less than 30 lines of diff) > > ==BC impact== > There is no BC. php_random_bytes() raises exception for bad CSPRNG, > but this very unlikely and such system shouldn't be used anyway. > --------------- > > Discussions in previous thread > --------------- > =="new uniqid() can cause /dev/urandom cannot read error"== > > This is FUD. Almost all "/dev/urandom cannot read" issues on the net > is due to "open_basedir" restriction. "open_basedir" is nothing to do > with internal functions, so the discussion is FUD. > > =="Any new error is BC so the patch should be reverted"== > > We do have many bug fixes emit new errors. We don't revert them at all > even when it's very common and annoying. > > Example: https://bugs.php.net/bug.php?id=73238 > This bug fix made WordPress display few additional E_WARNING errors > that can be remove by php.ini or code fix. > > =="Someone explicitly requested RFC/Merge approval, so it should be reverted"== > > IMHO, the patch is very simple patch only fixes problem. Many bug > fixes include more severe BC issues than the patch, behavior changes > and raised errors. Yet, no RFC nor discussions. > > If someone requested RFC/Merge request for very simple patch, should > we follow always? > > =="It does not have to hurry"== > > I agree with this. However, reverting simple bug fix patch does not make sense. > -------------- > > Question is: > - What kind of bug fix requires RFC? No behavior change, strong consensus, no BC break. But really a case by case question. > - What kind of bug fix requires discussion and approval to merge > released versions? Same answer. > > After all, my question is "Should we discuss all bugs before commits?" > "The revert is valid and reasonable?" The main point is what is a bug, what is a BC break. And we had many different opinions in the past. Even in this case where "this system should not be used anyway" makes me wonder. Like your session change, while not really critical to me (has been like that for ages) is relatively logical while as a RM, I would not merge it in 7.1 at this stage (RC). Cheers, Pierre