Hi Yasuo,
uniqid() has never been, and is not claimed to be, guaranteed unique to
any particular standard.
On 12/09/2016 13:08, Yasuo Ohgaki wrote:
Since we have to change "more entropy" to TRUE by default
Is your intention that the version without "more entropy" be deprecated,
and at some point the option removed? Or do you just want to increase
the visibility of this option by enabling it by default?
In other words, do you consider the function to be broken / useless if
this option is not set to true? Or do you think users don't understand
when to use it and when not?
why not use much better entropy? php_combined_lcg() is legacy entropy generator
_must not_ be used now. New code's entropy is more than a million
times better for the same length. 50 bits entropy is far less enough for
crypt safety, though.
What costs and benefits will users see of changing the entropy
generator? Does it make uniqid() collisions less likely, and if so what
kind of probability are we talking about? Does it have a speed or memory
cost (over the existing more_entropy version, i.e. ignoring sleep)?
Even if we accept a) that the default parameters should be changed, and
b) that the source for "more entropy" should be changed, I'm not clear
why the output format also needs to change. Is there some reason the
output of php_random_bytes() can't be encoded into decimal digits,
rather than [0-v]?
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
