Bug#644036: libcrypt-dsa-perl: unnecessary dependency on Data::Random

Harlan Lieberman-Berg hliebermanberg at gmail.com
Mon Oct 3 17:43:30 UTC 2011


Not to beat a dead horse, but: reading over the source of
Data::Random, I am frankly shocked that Crypt::DSA even includes
support for it.  At its core, Data::Random is just a huge wrapper
providing functionality around rand() - but that is in no way intended
for cryptographic use.  In fact, perldoc even says right in the rand
function description: "rand() is not cryptographically secure. You
should not rely on it in security-sensitive situations."

If we absolutely need an alternative /dev/random, perldoc recommends
another few possibilities, but CPRNGs are a significantly hard
problem, and I'd always recommend using something that is studied a
lot more than a perl module which is studied significantly less.
Crypt::Random::Secure could be used instead, or perhaps
Math::TrulyRandom, though neither of them have received anywhere as
much scruitiny as /dev/random.

Long story short, I would recommend that we simply refuse to install
the package where /dev/random is missing, and provide upstream with
patches to remove the ability to use Data::Random.

Best,

Harlan Lieberman-Berg





More information about the pkg-perl-maintainers mailing list