Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14890 > unrolled thread
| Started by | Eduardo Bustamante <dualbus@gmail.com> |
|---|---|
| First post | 2018-12-03 10:53 -0800 |
| Last post | 2018-12-03 10:53 -0800 |
| Articles | 1 — 1 participant |
Back to article view | Back to gnu.bash.bug
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: $RANDOM not Cryptographically secure pseudorandom number generator Eduardo Bustamante <dualbus@gmail.com> - 2018-12-03 10:53 -0800
| From | Eduardo Bustamante <dualbus@gmail.com> |
|---|---|
| Date | 2018-12-03 10:53 -0800 |
| Subject | Re: $RANDOM not Cryptographically secure pseudorandom number generator |
| Message-ID | <mailman.5102.1543864166.1284.bug-bash@gnu.org> |
On Mon, Dec 3, 2018 at 9:36 AM Greg Wooledge <wooledg@eeg.ccf.org> wrote: > > On Mon, Dec 03, 2018 at 05:31:18PM +0100, Ole Tange wrote: > > Luckily I did not just assume that Bash delivers high quality random > > numbers, but I read the source code, and then found that the quality > > was low. I do not think must users would do that. > > You're correct. Most users would not have to read the source code to > know that the built-in PRNG in bash (or in libc, or in basically ANY > other standard thing) is of lower than cryptographic quality. > > Most users already KNOW this. I have to echo this. If you are writing an application that requires high quality random number, the onus is on YOU to ensure that you're using quality sources and a good CSRNG. It would be a user mistake to just use whatever the standard library of the run-time you're using provides. Do we have to change C's rand() too? Or python's "random" module? Or perl's "rand"? Or ruby's? (etc etc) I do agree that adding a note in the manual to this effect would be nice though.
Back to top | Article view | gnu.bash.bug
csiph-web