Hi Davey, On Tue, Oct 4, 2016 at 4:59 AM, Davey Shafik <da...@php.net> wrote: > On Sunday, October 2, 2016, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> >> Hi all, >> >> On Mon, Oct 3, 2016 at 3:56 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> > Besides improving "more entropy" the default and data, I prepared >> > fully compatible patch to simplify discussion. >> > >> > https://gist.github.com/anonymous/fb615df325d559fa806a265031a06ede >> > >> > I would like to apply this patch from PHP 7.0 branch, then discuss what >> > the default should be. >> > >> > Any comments? >> > If there is no objections, I'll apply this few days later. > > > Yasuo, > > This change should go through the standard RFC process and should be > targeted at 7.2+ (master) *only*. > > Please check with the RMs before merging functionality changes into release > branches. All functionality changes need consent and consensus. Bug fixes > (that don't change functionality or break BC) do not. > > I understand your desire to fix these things, especially the security > related type stuff, but as a group we have a responsibility to create > predictable, sane, and safe (as in, don't break stuff) migration paths when > we can. A history of doing this is WHY php is still going strong after so > long. > > Thanks,
I agree fully. The only case this patch could break code is caused by broken PRNG in the system which is fatal anyway. i.e. If PRNG is broken, session module/randon_*() cannot produce secure session ID/values. We don't have to worry about changed behavior/BC. The main motivation is to simply this RFC discussion. I'll commit this patch master only. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
