- Notifications
You must be signed in to change notification settings - Fork587
Simplify the recommended alternatives to rand()#22873
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
We will need to get this p.r. to pass t/porting/podcheck.t before we can proceed further. |
The podchecker utility installed with Perl says it's ok. When I run it I get a compilation error that seems to have nothing to do with my change:
|
The failure is noted in the github actions run, it is because the pod checker must be told about the new non-core modules you are linking to: |
I've updated it, and also updated other references to Math::TrulyRandom. |
The only failing tests are cygwin, which I think has nothing to do with the POD changes. |
0364e87 tode0535cComparede0535c todbce05aCompareThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
perlfaq is maintained upstream on CPAN. So changes to its text should first be submitted to that distribution'sissue tracker.
|
dbce05a to0b731e1CompareI'm now satisfied with the structure of the pull request. I don't know enough about |
This has been merged. |
@robrwo Please do |
The CPAN Security Group (CPANSec) is currently working on guides togenerating security-quality random data [1]. We are focusing on modulesthat have secure defaults and are fairly lightweight.We would like to change the recommended modules to ones that we thinkare better options.Crypt::URandom is portable, has fewer prerequisites than Crypt::Random,Math::Random::Secure or Data::Entropy, and works with Windows.Crypt::PRNG has secure defaults and methods for generating differentkinds of random data.Math::TrulyRandom hasn't been updated since 1996, and is a solutionintended for systems without something like /dev/random.Data::Entropy had a security issue that was recently fixed, and thelatest version is marked as deprecated.[1]https://security.metacpan.org/docs/guides/random-data-for-security.html
0b731e1 to833d9daCompareWhat's delaying this? It's mid-2025 and the current POD is outdated. |
The change on perlfaq was mergedupstream but did not reach CPAN yet, so it will be integrated later. This point fixes the "requested change" from@jkeenan Merging this important security related recommendation on usage of alternative modules to be used for cryptographically secure random data generation. |
8c71d4a intoPerl:bleadUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
The CPAN Security Group (CPANSec) is currently working on guides to generating security-quality random data. We are focusing on modules that have secure defaults and are fairly lightweight.
We would like to change the recommended modules to ones that we think are better options.
Crypt::URandom has fewer prerequisites than Crypt::Random, and works with Windows. (Older versions were pure-Perl.)
Crypt::PRNG has secure defaults and methods for generating different kinds of random data.
Math::Random::Secure has a lot of prerequisites and in the end is just relying on /dev/urandom, like Crypt::URandom does.
Math::TrulyRandom is from 1996, and it's unclear how well that technique will work on modern systems, especially VMs and containers.
Data::Entropy has recently updated to fix security issues, and has been marked as deprecated.