KRandom regression + fix

Albert Astals Cid aacid at kde.org
Wed Apr 27 22:45:21 BST 2016


El dimecres, 27 d’abril de 2016, a les 11:42:46 CEST, Frederik Schwarzer va 
escriure:
> Am 27.04.2016 08:48 schrieb Johannes Huber:
> 
> Hi Johannes,
> 
> >> KRandom saw a regression in KCoreAddon's 5.21.0 release, which impacts
> >> a
> >> wide range of applications and use cases. Since the rand() was not
> >> seeded, the numbers generated were predictable, which is ugly in games
> >> and probably alarming for bluetooth pairing.
> > 
> > thanks for the patch. When i read "randon numbers were predictable"
> > instantly
> > a alarm bell rings in my head. Is this a security issue?
> 
> The docs of rand() state that you should not use it for serious business
> like cryptography
> http://en.cppreference.com/w/cpp/numeric/random/rand
> and the most serious business I could see within KDE was PIN generation
> for Bluetooth pairing. But you can never know who is using it for what
> outside of the KDE infrastructure.
> 
> Since I am neither a core developer (just maintaining a game which was
> beaten by the consequences of this issue) nor a crypto guy, I cannot
> really assess the severity of such a regression but my first thoughts
> were:
> - why is there no unit test cathing this?

Because noone wrote one (obvious answer)

From my "i know nothing about random numbers", i guess it's hard to write a 
unit test for a sequente of random numbers, you can get ten "3" in a row and 
it's still a valid random sequence.

> - should KRandom api doc pass through the note of not using it for
> serious business in general?

Probably makes sense adopting what rand() says, yes. Would you propose a 
patch?

Cheers,
  Albert

> 
> That's why I CC'ed kde-core-devel.
> 
> Regards,
> Frederik






More information about the kde-core-devel mailing list