Hi!
> "The salt parameter, if provided, will be used in place of an
> auto-generated salt." This is setting someone up for failure by
> letting them put in something weak, you should be forced to get an
> auto-generated salt. If this is for unit testing then it should be
> explicitly stated.
This
Scott,
On Wed, Sep 12, 2012 at 12:57 PM, Scott MacVicar wrote:
> Concerns about the RFC after talking with someone (Alok) on our security
> team at work.
>
> "There is no requirement for them to be cryptographically secure. "
> What stops the salt from being cryptographically secure? I think it
On Wed, Sep 12, 2012 at 12:57 PM, Scott MacVicar wrote:
> "There is no requirement for them to be cryptographically secure. "
> What stops the salt from being cryptographically secure? I think it should be
> a goal or we should state what parts aren't cryptographically secure, is it
> the random
Concerns about the RFC after talking with someone (Alok) on our security team
at work.
"There is no requirement for them to be cryptographically secure. "
What stops the salt from being cryptographically secure? I think it should be a
goal or we should state what parts aren't cryptographically s
All,
I have added the tests and ensured that everything seems pretty clean. I
have opened a Pull Request for this item as I would like to get more eyes
on it (especially since it touches crypt()). Please review the PR and
comment away.
https://github.com/php/php-src/pull/191/files
Once it looks
Hello all,
I've closed the vote and it's been accepted with a vote total of 19:0,
unanimous. I've moved the RFC into Accepted.
I'm going to add the remaining tests, and then move it into master later.
As for the PECL extension route, I'll work on splitting it into a PECl
extension for 5.3/5.4 at
Hannes,
> First off, this has been discussed on the list for literally months. Why
> > wait until the day before voting can end before bringing this up?
>
> So commenting is strictly forbidden during votes?
Not in the least. Just pointing out that this discussion could have been
better if it wa
hi,
On Tue, Sep 11, 2012 at 1:41 PM, Anthony Ferrara wrote:
> It's not the end of the world, because we can copy/paste that function into
> the PECL extension, and just conditionally include it. There would be
> duplication between the two, but it wouldn't be too bad...
agreed.
> Consider? Sur
Pierre,
On Tue, Sep 11, 2012 at 2:14 AM, Pierre Joye wrote:
> hi Stas,
>
> On Tue, Sep 11, 2012 at 12:23 AM, Stas Malyshev
> wrote:
> > OTOH, PECL module that can be built in 5.3/5.4 too might be nice. Not
> > everybody is going to upgrade to 5.5 soon, so having them participate
> > would be go
Pierre Joye wrote:
On Tue, Sep 11, 2012 at 12:23 AM, Stas Malyshev wrote:
>OTOH, PECL module that can be built in 5.3/5.4 too might be nice. Not
>everybody is going to upgrade to 5.5 soon, so having them participate
>would be good too. Maybe we could do it as a module and have it workable
>as P
hi Stas,
On Tue, Sep 11, 2012 at 12:23 AM, Stas Malyshev wrote:
> OTOH, PECL module that can be built in 5.3/5.4 too might be nice. Not
> everybody is going to upgrade to 5.5 soon, so having them participate
> would be good too. Maybe we could do it as a module and have it workable
> as PECL too
Hi!
> The benefit is that it can be tested properly and bugs discovered and
> ironed out first.
> This is not the sort of thing you want to get security bug reports the
> day after its released in core.
> If your ego is big enough you can guarantee you have tested this
> thoroughly and want it to
On Mon, Sep 10, 2012 at 3:31 PM, Anthony Ferrara wrote:
> Hannes,
>
> On Sun, Sep 9, 2012 at 12:23 PM, Hannes Magnusson
> wrote:
>>
>> On Tue, Sep 4, 2012 at 3:16 PM, Anthony Ferrara
>> wrote:
>> > Hello all,
>> >
>> > I'm opening the vote for the simplified password hashing API indicated
>> > h
Hannes,
On Sun, Sep 9, 2012 at 12:23 PM, Hannes Magnusson <
hannes.magnus...@gmail.com> wrote:
> On Tue, Sep 4, 2012 at 3:16 PM, Anthony Ferrara
> wrote:
> > Hello all,
> >
> > I'm opening the vote for the simplified password hashing API indicated
> here:
> >
> > https://wiki.php.net/rfc/passwor
On Tue, Sep 4, 2012 at 3:16 PM, Anthony Ferrara wrote:
> Hello all,
>
> I'm opening the vote for the simplified password hashing API indicated here:
>
> https://wiki.php.net/rfc/password_hash
>
I like the idea, but I don't understand why this isn't developed as an
extension first and then brough
15 matches
Mail list logo
