Hello, 2012/1/1 Gerd Stolpmann <i...@gerd-stolpmann.de>: > Am Sonntag, den 01.01.2012, 18:29 +0100 schrieb Xavier Leroy: >> On 01/01/2012 01:52 PM, Richard W.M. Jones wrote: [...] >> > It may be worth noting that Perl solved this problem (back in 2003) by >> > unconditionally using a seed which is a global set to a random number >> > during interpreter initialization. >> >> That's how my initial reimplementation of Hashtbl worked, using the >> Random module to produce seeds, but I was told (correctly) that in >> security-sensitive applications it's better to leave the generation of >> random numbers under control of the programmer. For some applications >> Random.self_init might be good enough and for others stronger >> randomness is needed. >> >> Of course, you can trivially emulate Perl's behavior using the new >> Hashtbl implementation + the Random module. [...] > Nevertheless, Ocaml is now widely used in environments where > a certain minimum of security is demanded, and I think Ocaml should > provide this minimum at least, and use it for things like an > automatically chosen seed for hash tables.
I share Gerd's opinion that OCaml should provide a "reasonable default", even if this default my not be enough for applications that need a strong security. Another "solution" would be to flag this API as a potential security issue in the documentation and/or provide a compiler warning to emit a warning if Hashtbl is used without proper initialization. Best regards, david -- Caml-list mailing list. Subscription management and archives: https://sympa-roc.inria.fr/wws/info/caml-list Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
