On 15 March 2015 at 13:17, Pádraic Brady <padraic.br...@gmail.com> wrote: > > Were folk to use random_int() by default, it would be actually be > considerably better than the situation today where many reach for > mt_rand() without really considering the use case. Using a strong > source of ints instead of a weak source still ends up with you getting > the requested ints. There's no downside unless the source is blocking. >
We've deliberately avoided blocking sources for this implementation. > Using the weak source over a strong source will also get you ints, but > without knowing the use, it has the immediate downside risk of being > from a weak source which shouldn't be used for anything requiring > strong randomness. > > So random_int() really is the best first default option to go for when > in doubt, with some careful consideration before switching to > mt_rand(). > > As for exhausting the entropy pool, this is something of a > misconception. The sources in the RFC are pseudorandom generators > which won't exhaust the entropy pool by design. > I should have read your mail before replying, but at least we've said the same thing :)
