Hi! > With PHP 7 comes random_bytes and random_int. This duplicates some of > the logic internally that password_hash uses to generate its salt. > > I would like to refactor this to unify generation. I've opened a PR > against master: https://github.com/php/php-src/pull/1585 > > I don't feel comfortable pulling against 7 this far into RC status. > Perhaps wait until after it goes gold? Or should this target 7.1? It's
If functionality does not change and it's just internal refactoring not breaking BC (both language and binary) then it can go into 7.0.x. From what I can see, it is pretty unintrusive, so I wouldn't mind too much even getting it into 7.0 but that's on RM to decide. In fact, at least making php_random_bytes() public API should be in 7.0 as that makes for much less compatibility problems for extensions later. Generally speaking, having public random generating function sounds like a very prudent thing, even if we end up not merging the rest of the patch into 7.0. > not a big deal in either direction. Though it does add a side-effect, > where if it can't gather enough entropy it will throw an exception and > return failure (where prior it would simply make a "best effort". >From what I can see, the system that can't return enough random bytes for what php_random_bytes() wants is deeply fubar, so on this scenario failing fast is the best option. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
