[Development] What to do with qrand/qsrand?

Jason H jhihn at gmx.com
Wed Jun 14 17:26:50 CEST 2017


Given the number of softwares that are compromised by bad random number generation practices, I'd suggest we invert the normal behavior - random by default. If they need predictability then make them seed with a constant seed.

For a more detailed talk on secure random: 
https://www.youtube.com/watch?v=n_xiOYvr6oY




> Sent: Tuesday, June 13, 2017 at 3:52 PM
> From: "Thiago Macieira" <thiago.macieira at intel.com>
> To: development at qt-project.org
> Subject: [Development] What to do with qrand/qsrand?
>
> I've changed almost all uses of qrand in Qt sources to QRandomGenerator and 
> eliminated the use of qsrand. That is actually the biggest advantage: not 
> needing to seed the generator. I was quite surprised how much use of qrand we 
> have in our own source code, and not just in examples. (See commits with 
> Change-Id Icd0e0d4b27cb4e5eb892fffd14b5285d43f4afbf).
> 
> Obviously those functions need to remain in Qt 5, but what should we do to 
> them long-term? See
> 	https://lxr.kde.org/ident?_i=qrand&_remember=1
> 
> With this many references, I'm not sure we should even add a QT_DEPRECATED 
> warning to it, since that would make trigger-happy "warning--" developers in 
> KDE wholesale moving to something else.
> 
> Options:
>  1) do nothing, leave as-is (in Qt 6, use thread_local)
> 
>  2) deprecate and provide no replacement. That is, tell people to either:
>    - use QRandomGenerator if they need true random, non-bulk
>    - use <random> engines if they need bulk
>    - use <stdlib.h> rand() if they need C library compatibility
> 
>  3) deprecate and provide a thread-safe PRNG, which can be used in bulk
>     a) with no seed; or
>     b) with an access to seeding
> 
>  4) same as #3, but actually use the qrand/qsrand names
>    for (a), qsrand would be empty
> 
> -- 
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel Open Source Technology Center
> 
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development
> 



More information about the Development mailing list