On 10/13/15, 10:59 AM, "Anthony Ferrara" <ircmax...@gmail.com> wrote: > >Overall, I don't think this should be ported back to 5.x > >First off, it's pretty late in both 5.5 and 5.6 lifetimes (5.6 is >already up to .14). > >Introducing a feature this late would basically make it useless to the >vast majority of users of those versions (since many don't upgrade, or >use distro-pinned versions). I don't like it, but that's the truth. > >random_compat serves this need quite nicely, but as always there are >non-trivial tradeoffs at play. > >As far as making mcrypt_create_iv more standard, why?
To reduce the motive to use OpenSSL (reduce objections to avoiding it) in general and in random_compat in particular. > That's what >random_bytes() was meant to do (and does). Just encourage people to >move forward with it and upgrade to 7... That's actually the stance I prefer. But I wanted to explore these options among those who know more about updating PHP itself than me. I guess you're right that adding this at the end of 5.5 and 5.6 won't accomplish much. The stance I prefer is that random_compat itself can educate users. Imagine the user that tries it out and sees the exception 'There is no suitable CSPRNG installed on your system'. That's a teachable moment. If this user object's "But I've got OpenSSL" then random_compat's docs can explain why it's not considered safe and what the user can do. Tom -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
