> > I really don't see any pros for caring about failing CSPRNG and fallback > to weak behavior. > > 1) BC is extremely unlikely. Basically, no BC on healthy hardware/OS. > 2) Then things failed, programs should fail properly. i.e. Shouldn't > fallback to weaker/problematic code. >
Failing closed on a missing CSPRNG isn't really important for uniqid(). There's no guarantee that uniqid() produces ungessable output. It tries to guarantee uniqueness and fails at the single one job it has for distributed systems. I still think it's better to just leave it as is and deprecate it, maybe while moving a UUID ext to core. Regards, Niklas > Broken CSPRNG is like BUS error, i.e. hardware error, why should we care > so much about it? > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > >
