On Wed, 28 Sep 2016 13:47:49 +0200, Emmanuel Bourg wrote:
Le 28/09/2016 à 13:40, Gilles a écrit :
If not, then random utilities are not best located in Commons Lang,
because indeed the no-dep requirement forces you to go through
"java.util.Random" which is bad (TM) for several reasons, mentioned
here, there, and everywhere.
I agree java.util.Random is suboptimal as an implementation, but it's
perfectly fine as an interface.
It is not. See the post I've just sent.
It can be swapped with a
java.security.SecureRandom if quality matters.
The interchangeability of "Random" and "SecureRandom" is beside
the point.
PRNG for cryptographic use, or not, have different priorities
and requirements.
It is only the most superficial analysis that would consider it
important that "SecureRandom" extends "Random".[1]
An application that would allow either is probably not to be
trusted for anything cryptographic.
Conversely, using "SecureRandom" in place of a deterministic
RNG is only useful in toy applications since the main feature
(of non-secure RNGs) one usually needs is reproducibility.
"SecureRandom" have requirements that are utterly foreign to
deterministic implementations (cf. entropy management).
Also "SecureRandom" can be comparatively slow. Letting users
think that they can use them interchangeably is bad advice.
Gilles
[1] Even the Java architects have indirectly acknowledged that,
by having a new random-related class _NOT_ extend "Random"
(allowing them to drop all the cruft brought by it).
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
