On Tue, Nov 16, 2021 at 7:04 PM Jeff King <peff@xxxxxxxx> wrote: > > On Tue, Nov 16, 2021 at 05:50:44PM -0800, Carlo Arenas wrote: > > > for the little amount of random data we need, it might be wiser to > > fallback to something POSIX like lrand48 which is most likely to be > > available, but of course your tests that consume lots of random data > > will need to change. > > Unfortunately that won't help. You have to seed lrand48 with something, > which usually means pid and/or timestamp. Which are predictable to an > attacker, which was the start of the whole conversation. You really need > _some_ source of entropy, and only the OS can provide that. again, showing my ignorance here; but that "something" doesn't need to be guessable externally; ex: git add could use as seed contents from the file that is adding, or even better mix it up with the other sources as a poor man's /dev/urandom I agree though that having a true random source will require the OS, but isn't it about generating 6 random letters? Carlo
