Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96509 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40693 invoked from network); 20 Oct 2016 09:29:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Oct 2016 09:29:21 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:46023] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 65/E2-24564-E6E88085 for ; Thu, 20 Oct 2016 05:29:20 -0400 Received: (qmail 128094 invoked by uid 89); 20 Oct 2016 09:29:15 -0000 Received: from unknown (HELO mail-qk0-f177.google.com) (yohgaki@ohgaki.net@209.85.220.177) by 0 with ESMTPA; 20 Oct 2016 09:29:15 -0000 Received: by mail-qk0-f177.google.com with SMTP id n189so82341054qke.0 for ; Thu, 20 Oct 2016 02:29:14 -0700 (PDT) X-Gm-Message-State: AA6/9RkrTLMl5Jxql4hDwEXo3TWcUkOwB5X7FgiPvWUmIu/DPp5W/p1BJCwuREHcZ6VzPHvhm4Aguib8xhZDMw== X-Received: by 10.55.121.131 with SMTP id u125mr12097131qkc.114.1476955748741; Thu, 20 Oct 2016 02:29:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.22.38 with HTTP; Thu, 20 Oct 2016 02:28:27 -0700 (PDT) In-Reply-To: References: <070001d2295e$76b7d730$64278590$@belski.net> <075a01d22993$9efc6c80$dcf54580$@belski.net> <088801d229fa$d7320cb0$85962610$@belski.net> Date: Thu, 20 Oct 2016 18:28:27 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Kalle Sommer Nielsen Cc: Anatol Belski , Joe Watkins , Niklas Keller , Leigh , PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Improve uniqid() uniqueness From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Kalle, On Thu, Oct 20, 2016 at 5:17 PM, Kalle Sommer Nielsen wrote: > 2016-10-20 9:18 GMT+02:00 Yasuo Ohgaki : >> "Do not make assumption for uniqid() output format, entropy >> especially. uniqid() output format may be changed to provide >> reasonably unique ID in future versions." > > Sounds reasonable to me; although I would phrase it a little > differently, something along the lines of: > > The uniquid cannot be relied on to be unique and > there can occur collisions, even with the > more_entrophy set to &true;. I added warnings to uniqid() manual recently. It's visible now, could you check this? http://php.net/manual/en/function.uniqid.php Warnings are based on following facts. uniqid(); // without entropy usleep(1) is called to get unique timestamp, but NTP can disturb and uniqid() can result in the same ID. uniqid('', TRUE); // with entropy It's better, but entropy is based on system timestamp and there is no usleep(1), so uniqid() is more sensitive to system clock adjustment by NTP, and uniqid() can result in the same ID. Collision is unlikely, but it not that unlikely with true CSPRNG based entropy. Therefore, I made warning a little strong. With CSPRNG, we may use more gentle warning. IMO. > As for the in future version, although we may do that, I don't think > we should document something that is not in the core yet. What do you > think? Entropy is some random value by definition, so we may tell users "Make no assumption for entropy" at least. IMO. Is this reasonable to you? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net