Rich Felker <dalias@xxxxxxxx> wrote: > This is an extreme documentation/specification bug that *hurts* > portability and security. The core contract of the historical > arc4random function is that it *is* a CSPRNG. Having a function by > that name that's allowed not to be one means now all software using it > has to add detection for the broken glibc variant. > > If the glibc implementation has flaws that actually make it not a > CSPRNG, this absolutely needs to be fixed. Not doing so is > irresponsible and will set everyone back a long ways. Exactly!