On 01/03/2017 02:47 PM, Michael Paquier wrote:
(Adding Heikki in CC who committed this code)
On Mon, Jan 2, 2017 at 8:20 AM, <rightf...@gmail.com> wrote:
The C source code of gen_random_uuid reads:
/*
* Generate random bits. pg_backend_random() will do here, we don't
* promis UUIDs to be cryptographically random, when built with
* --disable-strong-random.
*/
However, the pgcrypto documentation does not mention
--disable-strong-random
at all. I think the documentation should mention under which conditions
the function returns secure data.
That's actually a good idea. But as it does not only apply to
get_random_uuid(), I would think that a notice at the top of the
pgcrypto documentation would make the most sense. Something like:
"If PostgreSQL is built with --disable-strong-random, the data
generated by the functions is not guaranteed to be cryptographically
random."
Hmm, not sure what to do here. --disable-strong-random is similar to
e.g. --disable-spinlocks; no reasonable production platform would use
it. So I'm not inclined to sprinkle references to it across the docs, it
seems better to document what it changes, in the description of
--disable-strong-random itself.
To be pedantic, the documentation only claims that gen_random_bytes()
returns cryptographically strong values. For gen_random_uuid(), it just
says that it's "random". But yeah, it's subtle. By the feat of having
them side-by-side, and a similar name, you'd think that they behave the
same. And with --enable-strong-random, they do.
I'm inclined to change gen_random_uuid() to throw an error if the server
is built with --disable-strong-random, like gen_random_bytes() does.
That way, they would behave the same.
Thoughts?
- Heikki
--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
