[TYPO3-core] RFC #9474: Integrate OpenID authentication support to TYPO3

[Xavier Perseguers]

Hi Ingo,

> but as you said yourself, this is not a standard environment, thus I say 
> we should leave out the @ as it also has performance implications.

Does it really matter for openid? I don't think so.

> If you're using a non-standard environment it's your job to take care of 
> proper configuration, and as also mentioned by yourself already error 
> messages should be turned off in production environments.

No. Taking care of proper configuration would force me to allow read of 
/dev/urandom which you cannot force, this is why Dmitry added tests to 
use /dev/random instead or the built-in PNRG. If you leave this without 
the @ sign (which BTW is already present in many part of the core), then 
you force me (or any other administrator) to modify the source code 
before being able to use it as I won't allow access to /dev/urandom to 
my customers. It removes entropy on my server and could be used as part 
of an attack if my server is not able to regain entropy quickly enough

> I'd also say that it's good to have error messages when something goes 
> wrong in general - they're obviously there for a reason (to tell you 
> that, and maybe even what went wrong). There's really no sense in 
> surpressing error messages.

This is a warning, not an error message and warning should be suppressed 
in proper coding, this is why I submitted this patch to Dmitry which agreed.

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en/tutorials/typo3.html