"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: >> * bc/csprng-mktemps (2022-01-17) 2 commits >> - wrapper: use a CSPRNG to generate random file names >> - wrapper: add a helper to generate numbers from a CSPRNG >> >> Pick a better random number generator and use it when we prepare >> temporary filenames. >> >> Are we solving the right problem? >> cf. <220118.86zgntpegy.gmgdl@xxxxxxxxxxxxxxxxxxx> >> source: <20220117215617.843190-1-sandals@xxxxxxxxxxxxxxxxxxxx> > > It sounds like folks would prefer we drop this series. I'm not planning > to send an alternate approach here. I personally am OK with these two patches, by the way. There was an interesting thought experiment to see if we can only rely on mkstemp() and mkdtemp() that we assume are already secure enough, but swapping the not-particularly-good linear conguential generator used in git_mkstemps_mode() with a better algorithm that is externally supported, making the security issue somebody else's problem, is a good incremental improvement, I would think. Unless I hear differently from others, I am planning to mark the topic for 'next' in my draft of the "What's cooking" report. Thanks.
