> - Do you think your proposed strategy can solve this problem entirely
> without dropping djb3?
> - Would randomization still help as a defense-in-depth?

Note that to avoid problems with opcache we can only randomize on
initial boot (even then synchronizing among different processes sharing
opcache may be challenging). That means that the process would be
running for extended time (at least days, in theory as long as uptime
allows) with the same seed. Given that, I'm not sure how much
randomization would really improve.

> To elaborate on the second question: even a 4-byte prefix for the hash
> function inputs that's randomly generated at $appropriateIntervalHere
> might make intentional collisions harder to trigger. (Then again, maybe
> not! The underlying structure of djb3 isn't exactly cryptographic.)

I don't see how we can do $appropriateIntervalHere if we use opcache. We
could clean the cache of course but I'm not sure server owners would be
very happy if their cache dropped at random intervals with accompanying
load spike.
Stas Malyshev

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to