KRandom regression + fix

Frederik Schwarzer schwarzer at
Wed Apr 27 23:18:05 BST 2016

Am 27.04.2016 23:45 schrieb Albert Astals Cid:
> El dimecres, 27 d’abril de 2016, a les 11:42:46 CEST, Frederik 
> Schwarzer va
> escriure:
>> Am 27.04.2016 08:48 schrieb Johannes Huber:

>> > thanks for the patch. When i read "randon numbers were predictable"
>> > instantly
>> > a alarm bell rings in my head. Is this a security issue?
>> The docs of rand() state that you should not use it for serious 
>> business
>> like cryptography
>> and the most serious business I could see within KDE was PIN 
>> generation
>> for Bluetooth pairing. But you can never know who is using it for what
>> outside of the KDE infrastructure.
>> Since I am neither a core developer (just maintaining a game which was
>> beaten by the consequences of this issue) nor a crypto guy, I cannot
>> really assess the severity of such a regression but my first thoughts
>> were:
>> - why is there no unit test cathing this?
> Because noone wrote one (obvious answer)

Yes, of course that's the obvious answer. :)
I asked because the answer could have been something along the lines of 
"because KRandom is old; do not use it; we have something new in 
frameworks" or so.

> From my "i know nothing about random numbers", i guess it's hard to 
> write a
> unit test for a sequente of random numbers, you can get ten "3" in a 
> row and
> it's still a valid random sequence.

srand() is the same as srand(1) so it uses a fixed seed. Thus two 
initialisations produce the same sequence. Not sure though if this can 
be done in a unit test.

>> - should KRandom api doc pass through the note of not using it for
>> serious business in general?
> Probably makes sense adopting what rand() says, yes. Would you propose 
> a
> patch?

Already did:
Comments about the wording welcome. :)


More information about the kde-core-devel mailing list