From owner-freebsd-current Sun Feb 16 22: 8:13 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1A9F37B401; Sun, 16 Feb 2003 22:08:11 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-52.dsl.lsan03.pacbell.net [63.207.60.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2B0D43FA3; Sun, 16 Feb 2003 22:08:10 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 8DE07679DA; Sun, 16 Feb 2003 22:08:10 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 515191117; Sun, 16 Feb 2003 22:08:10 -0800 (PST) Date: Sun, 16 Feb 2003 22:08:10 -0800 From: Kris Kennaway To: Tim Robbins Cc: Kris Kennaway , "Andrey A. Chernov" , current@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/stdlib rand.c Message-ID: <20030217060810.GA68835@rot13.obsecurity.org> References: <200302170352.h1H3qawJ062671@repoman.freebsd.org> <20030217045729.GA68471@rot13.obsecurity.org> <20030217164048.A28273@dilbert.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <20030217164048.A28273@dilbert.robbins.dropbear.id.au> User-Agent: Mutt/1.4i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Feb 17, 2003 at 04:40:48PM +1100, Tim Robbins wrote: > I disagree. It's safe to use rand() in games and in certain kinds of > simulations when you don't care that the distribution isn't quite > uniform, or when you prefer speed over quality. I don't think rand() > needs a warning message like gets() &c. because it's not as dangerous. The problem is that there are a number of applications that use it when they should not. I've given examples of two of them, and there are probably lots of others I haven't noticed. For example, I just checked, and libICE appears to use rand() for cookie generation. This is completely bogus, and insecure. Note that I was only suggesting this patch be committed to -current for purposes of finding out what these applications are, and fixing them as appropriate. > I'd much prefer that rand() generated higher quality numbers, though. Me too, but that is apparently not possible because of API constraints. Kris --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+UHxJWry0BWjoQKURApOPAJ91hmT/jit1cAd9XdgHmo27GPSSYQCfaNBb zlD2ddx+nMeLjX801e59L7s= =kJ08 -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message