Am 24.09.2019 um 06:18 schrieb Pierre Joye <pierre....@gmail.com>: > On Mon, Sep 23, 2019 at 10:17 PM Larry Garfield <la...@garfieldtech.com> > wrote: > >> I cannot speak for OpenSSL, but random_bytes() and random_int() were >> changed very late in the 7.0 cycle to throw exceptions so that they "fail >> closed". Otherwise if you expect a random value back but get a constant >> value (false or empty string), if you don't remember to check it yourself >> every time then you now have a security hole because you're using a constant >> seed for random-dependent behavior. >> >> That was a good change, and it should be kept that way, IMO. > > Fully agree. This is actually pretty the only way to handle errors > with these functions. Anything else creates a risk that we could have > easily prevented.
The main point of my original mail was stripped so I changed the subject to emphasise what I really care about. So here is my question: Am I the only one who thinks BC breaks should be fully covered in an RFC before voting? Regards, - Chris -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
