Hi! > - Do you think your proposed strategy can solve this problem entirely > without dropping djb3? > - Would randomization still help as a defense-in-depth?
Note that to avoid problems with opcache we can only randomize on initial boot (even then synchronizing among different processes sharing opcache may be challenging). That means that the process would be running for extended time (at least days, in theory as long as uptime allows) with the same seed. Given that, I'm not sure how much randomization would really improve. > To elaborate on the second question: even a 4-byte prefix for the hash > function inputs that's randomly generated at $appropriateIntervalHere > might make intentional collisions harder to trigger. (Then again, maybe > not! The underlying structure of djb3 isn't exactly cryptographic.) I don't see how we can do $appropriateIntervalHere if we use opcache. We could clean the cache of course but I'm not sure server owners would be very happy if their cache dropped at random intervals with accompanying load spike. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php