Peter Geoghegan <p...@bowt.ie> writes: > It's always possible to make a change that might stop someone from > introducing a bug. The question ought to be: why this change, and why > now?
The point here is not to be cryptographically strong at every single place where the backend might want a random number; I think we're all agreed that we don't need that. To me, the point is to ensure that the user-accessible random sequence is kept separate from internal uses, and the potential security exposure in the new random-logging patch is what justifies getting more worried about this than we were before. Now, we could probably fix that with some less intrusive patch than #define'ing random() --- in particular, if we give drandom and setseed their own private PRNG state, we've really fixed the security exposure without need to change anything else anywhere. So maybe we should just do that and be happy. regards, tom lane