Groups | Search | Server Info | Login | Register
Groups > perl.perl5.porters > #99822
| Newsgroups | perl.perl5.porters |
|---|---|
| Path | csiph.com!weretis.net!feeder8.news.weretis.net!fu-berlin.de!bofh.it!nntp.perl.org |
| Xref | csiph.com perl.perl5.porters:99822 |
| Return-Path | <eagle@eyrie.org> |
| Mailing-List | contact perl5-porters-help@perl.org; run by ezmlm |
| Delivered-To | mailing list perl5-porters@perl.org |
| Received | (qmail 17739 invoked from network); 24 Jan 2026 03:44:51 -0000 |
| Received | from xx1.develooper.com (147.75.38.233) by x6.develooper.com with SMTP; 24 Jan 2026 03:44:51 -0000 |
| Received | from inbound-egress-8.mailchannels.net (inbound-egress-8.mailchannels.net [23.83.223.254]) by xx1.develooper.com (Postfix) with ESMTP id 93FFF7C1A6 for <perl5-porters@perl.org>; Fri, 23 Jan 2026 19:44:50 -0800 (PST) |
| ARC-Seal | i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1769226289; b=NERVl/hevTj3EPbeUhmHeMXDiURD4pglzsnqjwlLVAJDptstaStU2BfCNnjZVaF9qdIXf2 9YMrtZu+RopvuSLaAIPVidz24k4ITjNF28Ni9IIeKSEyWdl8aNJ9Dm3KW8sn2gJ4pKfVgI 5z330PZwylcCcpbi3hBFMiHXMeBiwQa9NYUpNlgUtw9ksPqMID0RYe8yftnvjM8GRjL70k zCCj0Ltxg66iw8PISCzBKdaDpwqgWEBYPvyPuEtcV4rwGZBrXRvpUSi+1PinhbFjj0xsOy gomJMSl6qTZtjvucmomlaMYAmGvy+JYQFcjJ1X7fDDidDTBMXv14KognPVNiGQ== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1769226289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=G371Bny5zKfSjgQvBwqK/c2RmfH/GSoZ+jhkFlKZD7Q=; b=YHPrqqRjIzA4LUDXMuVMYC5vWYdmDnrK66E8ZvsjjzheJ18B+jIht3yekrrVQMazk5Ycnb XzYnwT8cAp22AOv+5xER8R4frWRXnpcyOnxIP64sI2WRtGvQJCjr0QBTGgM6GHdr+KKm+P jn/y5Vw+Jr/dX4HdS1w6DR+YYt3TBmGwTVzRkCzlekncHwV2pwSy3/ihoeUiquit4TdiHv +IGl4Zij//NDRggyuSyzYlMihLyv+70H8RbeowEMftqoF4I9qqYNLIzCsqwAZx0UKOEaGF CMz3Uotq3CHPPSUlr0SkxtmmbaF5X3PuvZJ3N4Cv+HhBvwNRbmXGMwoPKtETLg== |
| ARC-Authentication-Results | i=1; inbound-rspamd-d7bfdcbd8-tnw79; none |
| X-Message-ID | V4fhCAkCAvCiwDTklEfP7fp8 |
| Received | from haven.eyrie.org (haven.eyrie.org [166.84.7.159]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.117.59.161 (trex/7.1.3); Sat, 24 Jan 2026 03:44:50 +0000 |
| Authentication-Results | inbound.mailchannels.net; spf=pass smtp.mailfrom=eagle@eyrie.org; dkim=none; dmarc=none; arc=none |
| Received-SPF | pass (dmarc-service-6ccc8c884f-h7wbd: domain of eyrie.org designates 166.84.7.159 as permitted sender) client-ip=166.84.7.159; envelope-from=eagle@eyrie.org; helo=haven.eyrie.org; |
| Received | from mithrandir.eyrie.org (unknown [96.90.234.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by haven.eyrie.org (Postfix) with ESMTPS id B71B91186DE for <perl5-porters@perl.org>; Fri, 23 Jan 2026 19:44:47 -0800 (PST) |
| Received | by mithrandir.eyrie.org (Postfix, from userid 1000) id 134D050E9F0; Fri, 23 Jan 2026 19:44:46 -0800 (PST) |
| To | Perl5 Porters <perl5-porters@perl.org> |
| Subject | Re: Should we upgrade to a new PRNG in core? |
| In-Reply-To | <2b77a5db-96c1-4f28-82e8-a19f86ffe41f@darrenduncan.net> (Darren Duncan's message of "Fri, 23 Jan 2026 19:30:39 -0800") |
| Organization | The Eyrie |
| References | <e1f40576-0937-4dc3-908c-4c02e44e35a5@perturb.org> <2b77a5db-96c1-4f28-82e8-a19f86ffe41f@darrenduncan.net> |
| User-Agent | Gnus/5.13 (Gnus v5.13) |
| Date | Fri, 23 Jan 2026 19:44:46 -0800 |
| Message-ID | <87pl6zfzdd.fsf@hope.eyrie.org> (permalink) |
| MIME-Version | 1.0 |
| Content-Type | text/plain |
| Approved | news@nntp.perl.org |
| From | eagle@eyrie.org (Russ Allbery) |
Show key headers only | View raw
Darren Duncan <darren@darrenduncan.net> writes:
> Assuming that the reason to change the PRNG is better security or
> similar benefits, I feel that it would be good for Perl to have the most
> secure option by default so users who don't know better get the
> benefits.
I know I made this point in previous discussions and I don't want to
belabor it, but because I work in this field and I am worried that this
knowledge is not widespread: The most secure option is to not use any type
of pseudo-random number generator and instead rely on /dev/random [1]. If
your concern is security, you should not use rand() and you should not use
any other new algorithm that similarly does not use /dev/random.
There are various other problems involved in making /dev/random as close
to really random as possible, and they can be quite complicated, but at
least other people are working on that for you and may have access to
hardware sources of randomness. This is not the case for a mathematical
algorithm built into Perl.
The primary reason to use rand() is if you need predictable (i.e., not
actually random) random numbers for test suites, reproducible randomized
algorithms, and other similar purposes, or as a fallback on platforms
without /dev/random or some equivalent. If /dev/random is available and
you want random numbers for security purposes, you should just use it via
Crypt::URandom, Crypt::Random, etc.
[1] Differences between /dev/urandom and /dev/random elided for
simplicity. Thankfully on modern Linux (and I think on some other
operating systems now?) you no longer have to care about this
distinction except in very narrow cases during system boot that Perl
scripts usually do not have to deal with, and can just use /dev/random
without worrying about blocking.
--
#!/usr/bin/perl -- Russ Allbery, Just Another Perl Hacker
$^=q;@!>~|{>krw>yn{u<$$<[~||<Juukn{=,<S~|}<Jwx}qn{<Yn{u<Qjltn{ > 0gFzD gD,
00Fz, 0,,( 0hF 0g)F/=, 0> "L$/GEIFewe{,$/ 0C$~> "@=,m,|,(e 0.), 01,pnn,y{
rw} >;,$0=q,$,,($_=$^)=~y,$/ C-~><@=\n\r,-~$:-u/ #y,d,s,(\$.),$1,gee,print
Back to perl.perl5.porters | Previous | Next — Previous in thread | Next in thread | Find similar
Should we upgrade to a new PRNG in core? scott@perturb.org (Scott Baker) - 2026-01-23 14:02 -0800
Re: Should we upgrade to a new PRNG in core? darren@darrenduncan.net (Darren Duncan) - 2026-01-23 19:30 -0800
Re: Should we upgrade to a new PRNG in core? eagle@eyrie.org (Russ Allbery) - 2026-01-23 19:44 -0800
Re: Should we upgrade to a new PRNG in core? perl5-porters@perl.org (Aristotle Pagaltzis via perl5-porters) - 2026-01-24 09:34 +0100
Re: Should we upgrade to a new PRNG in core? eagle@eyrie.org (Russ Allbery) - 2026-01-24 12:20 -0800
Re: Should we upgrade to a new PRNG in core? scott@perturb.org (Scott Baker) - 2026-01-24 13:56 -0800
Should we upgrade to a new PRNG in core? dj.p5p@avoiding.work (Diab Jerius) - 2026-02-07 12:03 -0500
csiph-web