On 5 July 2016 at 04:02, Pierre Joye <pierre....@gmail.com> wrote: > We can argue about the provided pnrng being CS but it is not php's job to > decide.
I think we need to drop the concerns about exposing "RNG state". A reminder of what php_random_bytes looks at (in order): * CryptGenRandom on Windows * arc4random_buf on modern BSD (where ChaCha20 is used) * Linux getrandom(2) syscall where available * /dev/urandom where available * Throws an exception if it cannot access one of the above If these are weak RNGs on your system, YOUR SYSTEM is broken. They are all designed to be cryptographic quality. If people are unconvinced we can temper the values with a secondary RNG, but there is absolutely no need to generate session IDs using a slow hashing algorithm. For the record, I am +1 on removing hashing, -1 on the _other_ changes in this RFC -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
