On 05.07.2016 at 16:32, Leigh wrote: > On 5 July 2016 at 04:02, Pierre Joye <pierre....@gmail.com> wrote: >> We can argue about the provided pnrng being CS but it is not php's job to >> decide. > > I think we need to drop the concerns about exposing "RNG state". > > A reminder of what php_random_bytes looks at (in order): > * CryptGenRandom on Windows > * arc4random_buf on modern BSD (where ChaCha20 is used) > * Linux getrandom(2) syscall where available > * /dev/urandom where available > * Throws an exception if it cannot access one of the above
Would that imply that in this latter case sessions couldn't be used anymore? What would be the fallback in that case? From a quick glance at the current PR there appears to be none! -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
