*looks at Ur/Web source* It is! I wonder why I wrote urweb-crypto-random-openssl. My best guess is that I was concerned by the fact that `rand` returns -1 on failure instead of throwing an application error. On the other hand, freaking out and writing my own library seems a bit of an overreaction. More likely I just didn’t bother to check the randomness properties of the built-in `rand` and assumed that it wrapped C `rand`.
The fact that `rand` returns -1 on failure, however, is a bit scary. That sounds like a CVE waiting to happen – people aren’t going to check the result code from `rand`. Adam, how would you feel about it returning an `option` or throwing an application error if it fails? _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
