KRandom regression + fix
Frederik Schwarzer
schwarzer at kde.org
Wed Apr 27 23:18:05 BST 2016
Am 27.04.2016 23:45 schrieb Albert Astals Cid:
> El dimecres, 27 d’abril de 2016, a les 11:42:46 CEST, Frederik
> Schwarzer va
> escriure:
>> Am 27.04.2016 08:48 schrieb Johannes Huber:
>> > thanks for the patch. When i read "randon numbers were predictable"
>> > instantly
>> > a alarm bell rings in my head. Is this a security issue?
>>
>> The docs of rand() state that you should not use it for serious
>> business
>> like cryptography
>> http://en.cppreference.com/w/cpp/numeric/random/rand
>> and the most serious business I could see within KDE was PIN
>> generation
>> for Bluetooth pairing. But you can never know who is using it for what
>> outside of the KDE infrastructure.
>>
>> Since I am neither a core developer (just maintaining a game which was
>> beaten by the consequences of this issue) nor a crypto guy, I cannot
>> really assess the severity of such a regression but my first thoughts
>> were:
>> - why is there no unit test cathing this?
>
> Because noone wrote one (obvious answer)
Yes, of course that's the obvious answer. :)
I asked because the answer could have been something along the lines of
"because KRandom is old; do not use it; we have something new in
frameworks" or so.
> From my "i know nothing about random numbers", i guess it's hard to
> write a
> unit test for a sequente of random numbers, you can get ten "3" in a
> row and
> it's still a valid random sequence.
srand() is the same as srand(1) so it uses a fixed seed. Thus two
initialisations produce the same sequence. Not sure though if this can
be done in a unit test.
>> - should KRandom api doc pass through the note of not using it for
>> serious business in general?
>
> Probably makes sense adopting what rand() says, yes. Would you propose
> a
> patch?
Already did: https://git.reviewboard.kde.org/r/127767/
Comments about the wording welcome. :)
Regards,
Frederik
More information about the kde-core-devel
mailing list