Hey Internals, I realise I'm cutting it close with this one, but I want to propose some changes to our standard random number generators.
The downside of this proposal is that our RNGs (rand() and mt_rand()) are seedable and reproduce identical streams (platform dependant) for any given seed. However their implementations are broken or inconsistent, so we need to weigh up the cost of changing these sequences versus having solid implementations. It is my opinion that if we are going to make any changes to these functions, we should make all of the changes at the same time and avoid any future disruption to their output. The RFC contains a few proposals, some of them depend on each other while others are standalone. Throughout the discussion phase I hope to reduce the number of proposals down to a consensus we can vote on in two weeks time. I will release a patch when I have a better feeling for the direction we want to take. The issues I want to bring up for discussion are. * Replacing mt_rand() and rand() to a strong, modern RNG. * Alternatively, fixing the current mt_rand() implementation to make it standard * Aliasing rand() to mt_rand() to improve output and cross-platform support * Fixing RAND_RANGE for large ranges. * Replacing insecure uses of php_rand() with php_random_bytes() * Making the array_rand() algorithm more efficient The RFC can be found here: https://wiki.php.net/rfc/rng_fixes If anyone knows of other fixes that should be made at the same time but I have overlooked, please let me know so I can get them included. Regards, Leigh.
