Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail From: Eduardo Bustamante Newsgroups: gnu.bash.bug Subject: Re: $RANDOM not Cryptographically secure pseudorandom number generator Date: Mon, 3 Dec 2018 10:53:01 -0800 Lines: 23 Approved: bug-bash@gnu.org Message-ID: References: <868cc2da-cf67-298f-4640-ab1afcf857e0@case.edu> <20181203173551.rpejfigeboqz6f4v@eeg.ccf.org> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: usenet.stanford.edu 1543864167 7577 208.118.235.17 (3 Dec 2018 19:09:27 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-bash Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=GEXmwsnzcQWHHPzVYHmGWOFKuxohMxcZGvHzrhmV++w=; b=Ud82cRFvKLLwx61cU5tuhQxiW4fPngkE1c6lJa3ciNs9Cc2lkYHsLZFuop1Br6zy2V e45B2JL4qIe5bOkwYEcv2ruqXVmaUuWg3TgGmCGlW4LaaRikRTdZC0dA3HSia8aBVDXR 2gpMFPmmqv85+Kqhw2eVI/ucEHnOTYOk6ISYgQJ3lwnvihtvjOOIJ4w5w0K/6+aRl+mz gOr+Wh1glYAoaigDpLLTkxYRG6TXDq5CEapLCRMLHa4vHJmBrElf6x7ZwG4yhC20wtRB rl4v2xpp47/8EE2K1ywZsMnT/6xYS/ECKeQ26pF0AfAcigKT86Tx4OlaLzD1ankfpsV5 8FgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=GEXmwsnzcQWHHPzVYHmGWOFKuxohMxcZGvHzrhmV++w=; b=Vq900DgER1WgWPQ7uRysrbzviy2HPZlmIyrBCTNIzoHXo7/H6n5/x4/aGqJgbtoG61 lv5VRb20Mqe6hPuakUptQu8yhDl1RFq6vNPw9aITPBU3KOPk2aZ+PQijCv7Sr2Mx6D+G sqrRD4ovpUXI+CKGQPLIla9Gazm41rP92yFC1r8RBumTrFf+e7YXghd3r5AhpdjRgaZp yMs5qXkwlauNk4LFhg1nJDXc26wKu+rvjNWVDSSiSrebcSxO8uvZ9pTvLdfA7iEhgOYE HDg765gUcJTyntdphrMbu4kVf48LNdnmthP0q2uz9pOoSsXarn4CnOIzqHIjSeh+e6ss 2rHQ== X-Gm-Message-State: AA+aEWaMzQoD7G/auVOmhDrw3EQxYxpU+muFjq3yUVG9G29t1eEygyRo fMmbQrJlkNA8gtgJf03sUrU2ROEhS8dHk5h0CLjW/w== X-Google-Smtp-Source: AFSGD/XkTRetuTUwxt/4Z8E+Ct833H6td25vJFEpRcqwwDUPh3moW2c7J5jkeaio340Wnf4jfLeQjIZMKqJlPNHRKlQ= X-Received: by 2002:a2e:5654:: with SMTP id k81-v6mr10574973ljb.48.1543863193378; Mon, 03 Dec 2018 10:53:13 -0800 (PST) In-Reply-To: <20181203173551.rpejfigeboqz6f4v@eeg.ccf.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::231 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:14890 On Mon, Dec 3, 2018 at 9:36 AM Greg Wooledge wrote: > > On Mon, Dec 03, 2018 at 05:31:18PM +0100, Ole Tange wrote: > > Luckily I did not just assume that Bash delivers high quality random > > numbers, but I read the source code, and then found that the quality > > was low. I do not think must users would do that. > > You're correct. Most users would not have to read the source code to > know that the built-in PRNG in bash (or in libc, or in basically ANY > other standard thing) is of lower than cryptographic quality. > > Most users already KNOW this. I have to echo this. If you are writing an application that requires high quality random number, the onus is on YOU to ensure that you're using quality sources and a good CSRNG. It would be a user mistake to just use whatever the standard library of the run-time you're using provides. Do we have to change C's rand() too? Or python's "random" module? Or perl's "rand"? Or ruby's? (etc etc) I do agree that adding a note in the manual to this effect would be nice though.