Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14888
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Ole Tange <ole@tange.dk> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: $RANDOM not Cryptographically secure pseudorandom number generator |
| Date | Mon, 3 Dec 2018 17:31:18 +0100 |
| Lines | 50 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.5088.1543854704.1284.bug-bash@gnu.org> (permalink) |
| References | <CA+4vN7zoPwhL5E82pDb=20yk4Dxdj=iRJiY2mmsbAtN1yqSeZw@mail.gmail.com> <868cc2da-cf67-298f-4640-ab1afcf857e0@case.edu> <CA+4vN7wkuCya7FES1HXiyFTF3a=pkVSdhVCthmjR29OwCAKZng@mail.gmail.com> <fa0b238c-9cb5-a840-ec6b-15cfd11d15cd@case.edu> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| X-Trace | usenet.stanford.edu 1543854704 3108 208.118.235.17 (3 Dec 2018 16:31:44 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | bug-bash <bug-bash@gnu.org> |
| To | Chet Ramey <chet.ramey@case.edu> |
| Envelope-to | bug-bash@gnu.org |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1X9T97cZhpm3j8HLPE/aylifqIpnI0foZf9Kk0192Uw=; b=OcT4t7oNJi6n/IYQobROgNvxNhpEJAeueEQRdB+w6Otw/KIDrvYorpysK9xsqXiqOH smQq1NiB/hShaphGVWuGtxABcGEkN8aCcfOdCRMR6BZCaE9lmqzxP799CvEWynLxOvSb oqmMHmdvYFncGlIj0/uyiInr279lU0JmcJqI/Wgo5Y1wc7ovZLPBtzQKBEqVs1kzib4B uuDyucpuD5OxNynZtVNnnuCrkAZXGDC+2HidY/EUWI/vhhnmBfi5RMzvWwY38mKUtBlj 5QreFblfrn1Wh7t0Ezts/IZ34oL4QU+pfRGolzVdnOGL5dbXDlSSWwrKwjSGqtogRufR xvkQ== |
| X-Gm-Message-State | AA+aEWYhMlSwlfM7awcC32nuhU+Ts98Q/Bw5HRCUienYivLDzIl1tmpW ZN3QyZzZUTqdW81fWUAyIGMjqgieryMzXM2VXQmfGMzm |
| X-Google-Smtp-Source | AFSGD/Uh5udwbFgsieWJML2A/uQ73T+8Vd2FTj82F5Whw9n2B/iqbDcQPyW+ZUyNCd/NPrpyIRfonb/FGwGl+VhU0rM= |
| X-Received | by 2002:a24:4706:: with SMTP id t6mr7828240itb.109.1543854691425; Mon, 03 Dec 2018 08:31:31 -0800 (PST) |
| In-Reply-To | <fa0b238c-9cb5-a840-ec6b-15cfd11d15cd@case.edu> |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] |
| X-Received-From | 209.85.166.177 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash/> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:14888 |
Show key headers only | View raw
On Mon, Dec 3, 2018 at 3:56 PM Chet Ramey <chet.ramey@case.edu> wrote: > There has to be a compelling reason to change this, especially at a point > so close to a major release. The reason for my submission was that I needed a bunch of random numbers in a shell script, but I needed them to be high quality. Luckily I did not just assume that Bash delivers high quality random numbers, but I read the source code, and then found that the quality was low. I do not think must users would do that. The man page does not warn about the low quality either, and it does not point to a way to get high quality numbers. Somehow we expect the user to simply know this. So from personal experience I have wasted a few hours on that account. Had I simply assumed the numbers were high quality, it might have caused problems for me at a later stage. And it is protect users who do not read the man page and source code that I suggest the change. > You might be expecting too much from bash's random number generator. Is > the problem that its period is at most 2**16? For its intended uses, the > cycle length is acceptable. Do you disagree? If I read the man page, I do not see what the intended use is. Where is that documented? If the user's view on the intended use differs from the developers', then there is a risk of misaligned expectations. Documenting the developers' view is IMHO a poor way of mitigating this, if there is a simple solution that will satisfy the demanding user. I see software daily that is being use in ways it was not intended. Usually it does not break, and for GNU tools this (in my experience) is especially true, because the GNU project officially endorses writing robust programs. So my suggestion is really just to be proactive, so that when users do not use it in the intended way, it will still not break. If you choose not to implement a CSPRNG, then please at least make it clear in the man page that $RANDOM is a poor RNG, and what the intended use is. /Ole
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
Re: $RANDOM not Cryptographically secure pseudorandom number generator Ole Tange <ole@tange.dk> - 2018-12-03 17:31 +0100
csiph-web