On Tue, Jun 14, 2016 at 3:56 PM, Davey Shafik <da...@php.net> wrote: > On Tue, Jun 14, 2016 at 20:13 Fleshgrinder <p...@fleshgrinder.com> wrote: > > > On 6/14/2016 8:56 PM, Christoph Becker wrote: > > > Yes, I'm aware of that, and that change isn't an issue for me (except > > > maybe that it might happen in a minor version). I was responding to > > > Richard (Fleshgrinder) who suggested to remove rand() and mt_rand() > > > alltogether, because there is random_int(). > > > > > > > I understood how you mean it. :) > > > > Call me ignorant but is this required in typical web applications? > > Couldn't we move this functionality to PECL? I mean, it is required in > > games but other than that. > > > > Please correct me if that is wrong! > > > > -- > > Richard "Fleshgrinder" Fussenegger > > > > > I think as this is a BC break it should require the 2/3 majority. I do > support fixing the RNGs though. > > Have you done any checks on GitHub etc to see how widespread this usage is? > I'd like to get some data on that too. >
I don't have data, but a word of caution: Don't grep legacy crypto libraries for use of rand() or mt_rand() for key/IV generation if you want to feel any sense of optimism. Speaking from experience here! ;) Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com/>
