Bug#537952: Use more random random seed than localtime
Jonathan Yu
jonathan.i.yu at gmail.com
Wed Jul 22 02:43:33 UTC 2009
Hi Don:
Thanks for your bug report.
On Tue, Jul 21, 2009 at 7:03 PM, Don Armstrong<don at debian.org> wrote:
> Package: libmath-random-perl
> Severity: normal
>
> Math::Random has its random number only based on localtime:
>
> $ for a in $(seq 1 20); do perl -MMath::Random=random_uniform -e 'print join(q( ),random_uniform(4)),qq(\n)'; done;
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.489988645840918 0.579920159789368 0.993361818807086 0.955731167568429
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
> 0.819419456017508 0.208303777363999 0.341532488367642 0.140379340821991
Maybe a simpler solution (which doesn't require changes to the local
Math::Random) would be to use a module like Math::TrulyRandom to get
some truly random data, or otherwise get the data from, say,
/dev/random, to use as your seed. You can then set Math::Random's seed
using random_set_seed(@seed)
>
> While Math::Random clearly isn't for cryptographic use, using such a
> repeatable random seed isn't useful for non-cryptographic methods, and
> shouldn't be the default on systems where there is a better
> alternative.
>
> It should instead call Perl_seed to generate the random number in XS.
> I'll probably send in a patch in a bit which does this. [I probably
> won't bother to make it compatible with pre 5.8 versions of perl which
> don't have it, but that's not my problem.]
I believe such a patch would belong upstream, though I've got no
problem with applying such a patch in Debian, since users of the
module shouldn't depend on that (faulty) behaviour anyway.
I'm unfamiliar with how Perl_seed is supposed to work, and how such a
seed is obtained. It may still be safer to use Math::TrulyRandom,
which uses the timing of interrupts to get some real random data...
I'm not sure how Perl_seed is shared, between forks and between
threads, so that might be an issue with respect to security. Likely
such a seed isn't intended for cryptographic use, but is used for
seeding the hash algorithm to prevent denial of service type attacks.
>
>
> Don Armstrong
>
> --
> "A one-question geek test. If you get the joke, you're a geek: Seen on
> a California license plate on a VW Beetle: 'FEATURE'..."
> -- Joshua D. Wachs - Natural Intelligence, Inc.
>
> http://www.donarmstrong.com http://rzlab.ucr.edu
>
>
>
> _______________________________________________
> pkg-perl-maintainers mailing list
> pkg-perl-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers
>
More information about the pkg-perl-maintainers
mailing list