Not to beat a dead horse, but: reading over the source of
Data::Random, I am frankly shocked that Crypt::DSA even includes
support for it.  At its core, Data::Random is just a huge wrapper
providing functionality around rand() - but that is in no way intended
for cryptographic use.  In fact, perldoc even says right in the rand
function description: "rand() is not cryptographically secure. You
should not rely on it in security-sensitive situations."

If we absolutely need an alternative /dev/random, perldoc recommends
another few possibilities, but CPRNGs are a significantly hard
problem, and I'd always recommend using something that is studied a
lot more than a perl module which is studied significantly less.
Crypt::Random::Secure could be used instead, or perhaps
Math::TrulyRandom, though neither of them have received anywhere as
much scruitiny as /dev/random.

Long story short, I would recommend that we simply refuse to install
the package where /dev/random is missing, and provide upstream with
patches to remove the ability to use Data::Random.

Best,

Harlan Lieberman-Berg



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to