On Fri, Sep 7, 2012 at 9:58 AM, brian d foy <brian.d....@gmail.com> wrote: > > David Oswald <daosw...@gmail.com> wrote: > >> So if there are no objections, I'd like to request the namespace >> Bytes::Random::Secure. > > No objection, other than it would be nice to have a single module that > provided all of it. Could you add your stuff to the existing module?
My concern is this: The dependency chain for Bytes::Random::Secure is anything *but* minimal. It relies on Math::Random::Secure, which in turn relies on Any::Moose, Crypt::Random::Source, and Math::Random::ISAAC. And two of those three have additional dependencies, and so on. On the other hand Bytes::Random has no dependencies besides Perl itself. My thought was that Bytes::Random::Secure could be a drop-in replacement for Bytes::Random. It also provides a few extra functions, but its primary function should behave exactly like Bytes::Random, but using a higher quality rand generator. That extra security comes at a greater cost, so a developer could make it an optional dependency without changing any code. The name makes it clear that this is the cryptographically sound implementation, removing any ambiguity as to which module might be appropriate for a given purpose. However, if you feel strongly that it should be wrapped into Bytes::Random, I could get in touch with the author and try to work something out. I do have the additional concern that by making Bytes::Random prefer the "secure" mode if dependencies are present, and fall back on the unsecure mode otherwise, we introduce some uncertainty that could be a little more difficult for the module's users to manage. For my own uses, I prefer to know for certain that when I request Bytes::Random::Secure I get the secure version, and don't have to explicitly ensure that its dependencies are present in a build so that it will function as I expect. As its own module, I know that when it installs via cpanm, it's the secure version. Dave -- David Oswald daosw...@gmail.com
