Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify the recommended alternatives to rand() #22873

Open
wants to merge 4 commits into
base: blead
Choose a base branch
from

Conversation

robrwo
Copy link
Contributor

@robrwo robrwo commented Dec 23, 2024

The CPAN Security Group (CPANSec) is currently working on guides to generating security-quality random data. We are focusing on modules that have secure defaults and are fairly lightweight.

We would like to change the recommended modules to ones that we think are better options.

Crypt::URandom has fewer prerequisites than Crypt::Random, and works with Windows. (Older versions were pure-Perl.)

Crypt::PRNG has secure defaults and methods for generating different kinds of random data.

Math::Random::Secure has a lot of prerequisites and in the end is just relying on /dev/urandom, like Crypt::URandom does.

Math::TrulyRandom is from 1996, and it's unclear how well that technique will work on modern systems, especially VMs and containers.

@jkeenan
Copy link
Contributor

jkeenan commented Dec 24, 2024

We will need to get this p.r. to pass t/porting/podcheck.t before we can proceed further.

@robrwo
Copy link
Contributor Author

robrwo commented Dec 25, 2024

We will need to get this p.r. to pass t/porting/podcheck.t before we can proceed further.

The podchecker utility installed with Perl says it's ok.

When I run it I get a compilation error that seems to have nothing to do with my change:

porting/podcheck.t .. Can't locate Carp.pm in @inc (you may need to install the Carp module) (@inc entries checked: ../lib) at porting/podcheck.t line 17.
BEGIN failed--compilation aborted at porting/podcheck.t line 17.

@Grinnz
Copy link
Contributor

Grinnz commented Dec 25, 2024

The failure is noted in the github actions run, it is because the pod checker must be told about the new non-core modules you are linking to:

#   "Apparent broken link"
#     to "Crypt::URandom" near line 6672 of pod/perlfunc.pod
#     to "Crypt::PRNG" near line 6674 of pod/perlfunc.pod
# See end of this test output for your options on silencing this
# 
# HOW TO GET porting/podcheck.t TO PASS
# 
# There was 1 file that had new potential problems identified.
# Some of them may be real, and some of them may be false positives because
# this program isn't as smart as it likes to think it is.  You can teach this
# program to ignore the issues it has identified, and hence pass, by doing the
# following:
# 
# 1) If a problem is about a link to an unknown module or man page that
#    you know exists, re-run the command something like:
#       ./perl -I../lib porting/podcheck.t --add-link { MODULE | man_page ... }

@robrwo
Copy link
Contributor Author

robrwo commented Dec 26, 2024

I've updated it, and also updated other references to Math::TrulyRandom.

@robrwo
Copy link
Contributor Author

robrwo commented Dec 28, 2024

The only failing tests are cygwin, which I think has nothing to do with the POD changes.

robrwo added 4 commits January 7, 2025 09:24
The CPAN Security Group (CPANSec) is currently working on guides to
generating security-quality random data [1]. We are focusing on modules
that have secure defaults and are fairly lightweight.

We would like to change the recommended modules to ones that we think
are better options.

Crypt::URandom is portable, has fewer prerequisites than Crypt::Random,
Math::Random::Secure or Data::Entropy, and works with Windows.

Crypt::PRNG has secure defaults and methods for generating different
kinds of random data.

Math::TrulyRandom hasn't been updated since 1996, and is a solution
intended for systems without something like /dev/random.

[1] https://security.metacpan.org/docs/guides/random-data-for-security.html
@robrwo robrwo force-pushed the rrwo/rand-recommendations branch from 0364e87 to de0535c Compare January 7, 2025 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants