On Tue, 24 Sep 2019 at 15:26, Larry Garfield <la...@garfieldtech.com> wrote:
> And no, random_int(0,0) does what it says on the tin: return a random int > between 0 and 0. If you call it that way, well, it's your own PEBCAK. But > it throws an exception if the underlying sources of entropy are not working > for some reason, rather than returning something that can easily be > mistaken for a valid integer. > I think the argument was that the consistent behaviour would be for random_bytes(0) and openssl_random_pseudo_bytes(0) to return '' (i.e. a random string which was zero bytes long). The result is just as logical, and just as meaningless, as "a number between 0 and 0" - in both cases, there is exactly one valid value, so every random choice returns that value. The BC break is a separate discussion - the RFC listed some changes to openssl_random_pseudo_bytes but not this one. Regards, -- Rowan Tommins [IMSoP]