Bug#644036: libcrypt-dsa-perl: unnecessary dependency on Data::Random
Harlan Lieberman-Berg
hliebermanberg at gmail.com
Mon Oct 3 17:43:30 UTC 2011
Not to beat a dead horse, but: reading over the source of
Data::Random, I am frankly shocked that Crypt::DSA even includes
support for it. At its core, Data::Random is just a huge wrapper
providing functionality around rand() - but that is in no way intended
for cryptographic use. In fact, perldoc even says right in the rand
function description: "rand() is not cryptographically secure. You
should not rely on it in security-sensitive situations."
If we absolutely need an alternative /dev/random, perldoc recommends
another few possibilities, but CPRNGs are a significantly hard
problem, and I'd always recommend using something that is studied a
lot more than a perl module which is studied significantly less.
Crypt::Random::Secure could be used instead, or perhaps
Math::TrulyRandom, though neither of them have received anywhere as
much scruitiny as /dev/random.
Long story short, I would recommend that we simply refuse to install
the package where /dev/random is missing, and provide upstream with
patches to remove the ability to use Data::Random.
Best,
Harlan Lieberman-Berg
More information about the pkg-perl-maintainers
mailing list