Hi
On 5/30/23 17:52, Go Kudo wrote:
> It should be deprecated with PHP 8.4 at the earliest to give folks at
least
Indeed, I agree that `lcg_value()` should be deprecated at least in PHP 8.4.
However, `lcg_value()` remains a dangerous function. It still has a weak
initial seeding problem (PID, time), not to mention global state. This is
extremely dangerous for workloads on containers where PIDs tend to be
fixed. Perhaps this should be documented at the time of PHP 8.3 release.
As the function is not seedable in userland, we do not need to preserve
a specific sequence or behavior. Therefore it should be possible to
replace the seeding to make use of the CSPRNG and fall back to the old
and insecure seeding if the CSPRNG fails.
For the same reason, the global state is also less of a problem compared
to mt_rand() and friends.
Because of the above, I have removed my `lcg_value()` deprecation entry
from the RFC. Thanks!
Thanks!
Best regards
Tim Düsterhus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
