On Mon, Feb 17, 2003 at 04:40:48PM +1100, Tim Robbins wrote: > I disagree. It's safe to use rand() in games and in certain kinds of > simulations when you don't care that the distribution isn't quite > uniform, or when you prefer speed over quality. I don't think rand() > needs a warning message like gets() &c. because it's not as dangerous.
The problem is that there are a number of applications that use it when they should not. I've given examples of two of them, and there are probably lots of others I haven't noticed. For example, I just checked, and libICE appears to use rand() for cookie generation. This is completely bogus, and insecure. Note that I was only suggesting this patch be committed to -current for purposes of finding out what these applications are, and fixing them as appropriate. > I'd much prefer that rand() generated higher quality numbers, though. Me too, but that is apparently not possible because of API constraints. Kris
msg52536/pgp00000.pgp
Description: PGP signature