Hello, "A little side-node: random_int(0, 0) does not throw an exception which makes random_bytes and random_int inconsistent by your logic ;-)"
not really; there are still different functions; hence they can differ in their behavior; + that's not a matter of individual logic but an api choice; everything can be argued *; however, I don't see any BC break here but a `addon` instead of failing silently, like it was before; hiding a very wrong state. Regards. * the smiley doesn't help. On Mon, Sep 23, 2019 at 9:34 AM Christian Schneider <cschn...@cschneid.com> wrote: > Am 23.09.2019 um 17:16 schrieb Larry Garfield <la...@garfieldtech.com>: > > I cannot speak for OpenSSL, but random_bytes() and random_int() were > changed very late in the 7.0 cycle to throw exceptions so that they "fail > closed". Otherwise if you expect a random value back but get a constant > value (false or empty string), if you don't remember to check it yourself > every time then you now have a security hole because you're using a > constant seed for random-dependent behavior. > > I see your point but I'm still not convinced that it is worth the BC. > But whatever is decided for this specific change, I'm more interested in > handling this properly for future RFCs, i.e. people should get the full > picture concerning BC before voting. > > A little side-node: random_int(0, 0) does not throw an exception which > makes random_bytes and random_int inconsistent by your logic ;-) > > - Chris > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
