On Mon, Jul 25, 2022 at 7:08 AM Go Kudo <zeriyo...@gmail.com> wrote: > Indeed, But ext-openssl is not always available. > To use it in a ext-session, etc., it must be bundled reliably. >
Which means that users can generally call `random_bytes()/random_int()` for an always available, but maybe not most performant CSPRNG source, or if they need those extra cycles, they can make sure OpenSSL is installed and available and call that API instead. Library authors can even abstract this away using function_exists() and a graceful fallback to random_int(). I think it's okay to trust developers to know how to program well, and to learn when they don't. -Sara
