Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify the recommended alternatives to rand() #22873

Open
wants to merge 1 commit into
base: blead
Choose a base branch
from

Conversation

robrwo
Copy link
Contributor

@robrwo robrwo commented Dec 23, 2024

The CPAN Security Group (CPANSec) is currently working on guides to generating security-quality random data. We are focusing on modules that have secure defaults and are fairly lightweight.

We would like to change the recommended modules to ones that we think are better options.

Crypt::URandom is pure-perl, has fewer prerequisites than Crypt::Random, and works with Windows.

Crypt::PRNG has secure defaults and methods for generating different kinds of random data.

Math::Random::Secure has a lot of prerequisites and in the end is just relying on /dev/urandom, like Crypt::URandom does.

Math::TrulyRandom is from 1996, and it's unclear how well that technique will work on modern systems, especially VMs and containers.

The CPAN Security Group (CPANSec) is currently working on guides to
generating security-quality random data.  We are focusing on modules
that have secure defaults and are fairly lightweight.

We would like to change the recommended modules to ones that we think
are better options.

Crypt::URandom is pure-perl, has fewer prerequisites than Crypt::Random,
and works with Windows.

Crypt::PRNG has secure defaults and methods for generating different
kinds of random data.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant