On 28/12/2022 21:11, Alejandro Colomar wrote: > Hi Cristian, > > On 12/28/22 22:04, Cristian Rodríguez wrote: >> On Wed, Dec 28, 2022 at 5:57 PM Alejandro Colomar via Libc-alpha >> <libc-alpha@xxxxxxxxxxxxxx> wrote: >> >>> Ahh, I didn't connect the dots the other day! We don't need to wait for glibc. >>> libbsd already provides arc4random on GNU/Linux systems, so I can already >>> recommend using arc4random to seed srand(3). >>> >>> I'll prepare a patch... >>> >> >> I would suggest avoiding that, as it suffers from all the problems >> previously discussed on this list , on the relevant arc4random thread >> >> tl;dr , it can't be safe without kernel support, as you need to know >> when to drop the buffer. (on fork, on resume plus on $deity knows >> condition for which there is no kernel notification about) > > I don't consider rand(3) anything safe or really random, but rather a tool for simulations or debugging where repeatability matters more than anything else. > > For anything where randomness matters, arc4random(3) is the way to go. But randomness is not always what you want. What would you recommend for some software where you need to test/simulate many different cases, where you want to be able to repeat the tests? Can generate our stream of randomness values in a file and then the software can just run with those (like a one-time pad (OTP)). > Maybe we should make clear that rand(3) should never be used unless you want repeatable results. And when randomness matters in some cases, you could add a macro wrapping both rand(3) and arc4random(3), and use the appropriate one. Sounds reasonable to have the ability to run both ways if useful. Jonny