On 2016/03/09 11:26, Renaud Allard wrote: > > > On 03/09/2016 11:11 AM, Stuart Henderson wrote: > >On 2016/03/09 10:05, Stuart Henderson wrote: > >>That should be fixed in mcrypt - it should use arc4random functions > >>instead. > > > >In addition, > > > >https://github.com/paragonie/random_compat/blob/master/ERRATA.md > > > >1. libsodium if available > >2. fread() /dev/urandom if available > >3. mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM) > >4. COM('CAPICOM.Utilities.1')->GetRandom() > >5. openssl_random_pseudo_bytes() > > > >- libsodium is "security/pecl-libsodium", please set that as a dep, > >it's the best choice for crypto primitives in PHP. But mcrypt should > >still be fixed. > > > > mcrypt upstream won't probably fix anything. Are you suggesting to fix this > in the port of mcrypt itself? >
Yes.
