Hi
On 6/15/23 13:46, Rowan Tommins wrote:
While I agree with the logic of deprecating mt_rand() in general, I do
think it's too early to do so in 8.3. The Random extension is very new, and
To be clear: The recommended replacement for mt_rand() for the majority
of use cases / applications is random_int() which is available since
7.0, not the OO API that was added in 8.2.
I've personally replaced all uses of mt_rand() / rand() with
random_int() at work a while ago and also sent upstream PRs to libraries
we use where appropriate.
still isn't fully documented in the official manual (e.g.
https://www.php.net/manual/en/random.examples.php is a blank placeholder)
Yes, unfortunately I could not yet get around to further completing the
documentation (and will likely not in the nearer future).
Not to diminish that argument, I'd like to note, that around the release
of PHP 8.2 I worked on the documentation, starting with the important
parts first: The newly added API and especially the Randomizer methods
*are* already documented with regard to parameter and return value
explanation and (real-world) examples. In fact think the documentation
is in a better state than large parts of ext/intl.
If anyone wants to help with the documentation, feel free to send PRs.
I'm happy to review and advise! :-)
let alone in third-party tutorials. I think there should be a "soft
deprecation" period where we improve the guidance around which methods to
use in which cases, and allow for some "organic" migration before raising
notices for such a commonly used function.
As part of writing the documentation for the OO API I also worked on
updating the references and examples for existing functions and adding
new warnings. For example mt_srand() (which is the main cause of
concern) now has this large “Caution” note with regard to the seed size:
https://www.php.net/manual/en/function.mt-srand.php
Looping back to the beginning of my email: The recommended replacement
is random_int() which is available for years, but the "organic"
migration did not really work. It's trivial to find (security-sensitive)
code that *should* use random_int(), but uses mt_rand() using GitHub's
code search. That's my main reason for the deprecation - folks don't
read documentation and instead copy from old tutorials and StackOverflow.
If the RFC stays as is, I will cast a No vote on that question, but I
thought I'd raise the concerns early to avoid surprise.
I fully expected that part to be the most contentious one in the RFC and
if everyone agreed, we would not need to hold a vote. Even if the
deprecation is ultimately declined, I think it's useful to at least have
held the vote for two reasons:
1. It further raises awareness.
2. It gives additional information to work with.
Best regards
Tim Düsterhus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
