On Mon, Dec 3, 2018 at 9:36 AM Greg Wooledge <wool...@eeg.ccf.org> wrote: > > On Mon, Dec 03, 2018 at 05:31:18PM +0100, Ole Tange wrote: > > Luckily I did not just assume that Bash delivers high quality random > > numbers, but I read the source code, and then found that the quality > > was low. I do not think must users would do that. > > You're correct. Most users would not have to read the source code to > know that the built-in PRNG in bash (or in libc, or in basically ANY > other standard thing) is of lower than cryptographic quality. > > Most users already KNOW this.
I have to echo this. If you are writing an application that requires high quality random number, the onus is on YOU to ensure that you're using quality sources and a good CSRNG. It would be a user mistake to just use whatever the standard library of the run-time you're using provides. Do we have to change C's rand() too? Or python's "random" module? Or perl's "rand"? Or ruby's? (etc etc) I do agree that adding a note in the manual to this effect would be nice though.