Okay I'll switch to other random source then.
Le mer. 9 août 2017 19:40, Adrien Destugues <pulkomandy@xxxxxxxxxxxxx> a
écrit :
On Wed, Aug 09, 2017 at 07:34:02PM +0200, philippe.houdoin@xxxxxxxxx
wrote:
c7a3a80cc62a: libroot: make mktemp() more random
... by seeding rand() with process id, user id and current time.
This fix #13660
This doesn't sound right:
- If you call the function many time quickly, it will re-seed with the
same time, and return the same value over and over again,
- Calling srand without the user knowing is a bad idea, since apps may
rely on rand() always giving the same values in the same order for a
given seed.
Very clear from the POSIX spec:
http://pubs.opengroup.org/onlinepubs/009695399/functions/rand.html
"
The srand() function uses the argument as a seed for a new sequence of
pseudo-random numbers to be returned by subsequent calls to rand(). If
srand() is then called with the same seed value, the sequence of
pseudo-random numbers shall be repeated.
The implementation shall behave as if no function defined in this volume
of IEEE Std 1003.1-2001 calls rand() or srand().
"
So, we are not allowed to use srand, and we are even not allowed to use
rand at all. An alternative would be to use rand_r, or as axeld already
suggested, to implement arc4random and use that.
--
Adrien.
