On 1/9/2012 7:50 AM, Tom Worster wrote:
1. The proposal in the RFC is explicit: "The function should neither block
nor return a failure status in the case that the systems entropy pool is
depleted. However, it should allow the caller to discover if this is the
2. The current code implements that by setting the $is_strong_result flag
if it has to resort to urandom on Linux.
So, afaikt, what has been done _so_far_ is in alignment with your
As I said in the email discussing implementation, setting
$is_strong_result requires different code for each OS and this has not
been implemented yet.
I'm glad someone is doing something about making more sources of
randomness in PHP.
Instead of a 'bool', use an 'int' for $is_strong_result but more
accurately call it $result_strength. Assign a minimum recommended
threshold in the documentation against which application developers can
act. That is, let the application developer decide what the minimum
strength is that they are willing to accept. Otherwise, from an
application developer's perspective, it will appear to be some arbitrary
internal decision and won't really be a significant improvement over
other PHP functions - it'll just be one more confusing option to pick from.
As an aside, I recently developed a sufficient-for-most-needs CSPRNG in
Barebones CMS is a high-performance, open source content management
system for web developers operating in a team environment.
An open source CubicleSoft initiative.
Your choice of a MIT or LGPL license.http://barebonescms.com/