2012/1/1 Gerd Stolpmann <i...@gerd-stolpmann.de>:
> Am Sonntag, den 01.01.2012, 18:29 +0100 schrieb Xavier Leroy:
>> On 01/01/2012 01:52 PM, Richard W.M. Jones wrote:
>> > It may be worth noting that Perl solved this problem (back in 2003) by
>> > unconditionally using a seed which is a global set to a random number
>> > during interpreter initialization.
>> That's how my initial reimplementation of Hashtbl worked, using the
>> Random module to produce seeds, but I was told (correctly) that in
>> security-sensitive applications it's better to leave the generation of
>> random numbers under control of the programmer.  For some applications
>> Random.self_init might be good enough and for others stronger
>> randomness is needed.
>> Of course, you can trivially emulate Perl's behavior using the new
>> Hashtbl implementation + the Random module.
> Nevertheless, Ocaml is now widely used in environments where
> a certain minimum of security is demanded, and I think Ocaml should
> provide this minimum at least, and use it for things like an
> automatically chosen seed for hash tables.

I share Gerd's opinion that OCaml should provide a "reasonable
default", even if this default my not be enough for applications that
need a strong security.

Another "solution" would be to flag this API as a potential security
issue in the documentation and/or provide a compiler warning to emit a
warning if Hashtbl is used without proper initialization.

Best regards,

Caml-list mailing list.  Subscription management and archives:
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs

Reply via email to