I've had this sitting around for a while. GLib's g_rand* functions use a simple Mersenne Twister, and the docs warn against their use where strong randomness is needed:
https://developer.gnome.org/glib/stable/glib-Random-Numbers.html g_rand_* are deterministic, while g_random_* are nondeterministic. Grepping for these functions in ports' source show that many projects use them in crypto code. I've talked to the GNOME developers about this, and they're considering how to deal with it. I've also reported bugs to a handful of projects using these functions dangerously. In the meantime, I think it's best to patch g_random_int() to call arc4random(). The semantics are identical and g_random_int() is the most commonly used of these functions, so I think it's a good place to start. The others will probably take a little more care. It doesn't cause test regressions, and the change seems straightforward. Index: Makefile =================================================================== RCS file: /cvs/ports/devel/glib2/Makefile,v retrieving revision 1.252 diff -u -p -u -r1.252 Makefile --- Makefile 18 Apr 2016 06:46:30 -0000 1.252 +++ Makefile 4 May 2016 23:42:20 -0000 @@ -4,6 +4,7 @@ COMMENT= general-purpose utility librar GNOME_PROJECT= glib GNOME_VERSION= 2.48.0 +REVISION= 0 PKGNAME= ${DISTNAME:S/glib/glib2/} CATEGORIES= devel Index: patches/patch-glib_grand_c =================================================================== RCS file: patches/patch-glib_grand_c diff -N patches/patch-glib_grand_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-glib_grand_c 4 May 2016 23:42:20 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ +--- glib/grand.c.orig Mon Feb 29 09:32:44 2016 ++++ glib/grand.c Wed May 4 19:31:36 2016 +@@ -649,11 +649,7 @@ get_global_random (void) + guint32 + g_random_int (void) + { +- guint32 result; +- G_LOCK (global_random); +- result = g_rand_int (get_global_random ()); +- G_UNLOCK (global_random); +- return result; ++ return arc4random (); + } + + /**
