Yasuo Ohgaki <yohg...@ohgaki.net> schrieb am Di., 4. Okt. 2016, 03:54:
> Hi Davey, > > On Tue, Oct 4, 2016 at 4:59 AM, Davey Shafik <da...@php.net> wrote: > > On Sunday, October 2, 2016, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> > >> Hi all, > >> > >> On Mon, Oct 3, 2016 at 3:56 AM, Yasuo Ohgaki <yohg...@ohgaki.net> > wrote: > >> > Besides improving "more entropy" the default and data, I prepared > >> > fully compatible patch to simplify discussion. > >> > > >> > https://gist.github.com/anonymous/fb615df325d559fa806a265031a06ede > >> > > >> > I would like to apply this patch from PHP 7.0 branch, then discuss > what > >> > the default should be. > >> > > >> > Any comments? > >> > If there is no objections, I'll apply this few days later. > > > > > > Yasuo, > > > > This change should go through the standard RFC process and should be > > targeted at 7.2+ (master) *only*. > > > > Please check with the RMs before merging functionality changes into > release > > branches. All functionality changes need consent and consensus. Bug fixes > > (that don't change functionality or break BC) do not. > > > > I understand your desire to fix these things, especially the security > > related type stuff, but as a group we have a responsibility to create > > predictable, sane, and safe (as in, don't break stuff) migration paths > when > > we can. A history of doing this is WHY php is still going strong after so > > long. > > > > Thanks, > > I agree fully. > > The only case this patch could break code is caused by broken PRNG in > the system which is fatal anyway. i.e. If PRNG is broken, session > module/randon_*() cannot produce secure session ID/values. We don't > have to worry about changed behavior/BC. > > The main motivation is to simply this RFC discussion. I'll commit this > patch master only. > It still needs a RFC. Regards, Niklas Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
