Am 23.09.2019 um 17:16 schrieb Larry Garfield <la...@garfieldtech.com>: > I cannot speak for OpenSSL, but random_bytes() and random_int() were changed > very late in the 7.0 cycle to throw exceptions so that they "fail closed". > Otherwise if you expect a random value back but get a constant value (false > or empty string), if you don't remember to check it yourself every time then > you now have a security hole because you're using a constant seed for > random-dependent behavior.
I see your point but I'm still not convinced that it is worth the BC. But whatever is decided for this specific change, I'm more interested in handling this properly for future RFCs, i.e. people should get the full picture concerning BC before voting. A little side-node: random_int(0, 0) does not throw an exception which makes random_bytes and random_int inconsistent by your logic ;-) - Chris -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
