Thanks for cc-ing me. I don't have much exposure to random, so I am cc-ing the Cryptography list, in hopes they might help. This doesn't very random, you're right. Here were Peter's questions:
My questions:1) do we really want to have global fixed seed?2) Random new should actually setup a usable seed so I don't need to first run it N times before I can use the value3) Should we switch to what UUIDGenerator is using… reading /dev/urandom for the initial seed setup?Rob
On 05/18/2016 07:05 PM, Peter Uhnák wrote:
Hi,
(cc-ing Robert Withers as he seems to be working with cryptography and security... as this seems related and may have some implications, but I am likely wrong about the implications)
yesterday I've encountered a very surprising behavior
I executed the same script `10 atRandom` on the same image without saving it and got the same output:
while true; dopharo-vm --nodisplay latest.image --no-default-preferences eval '10 atRandom'done101010101010
Not so random… not random at all.
Apparently the default random generator uses SharedRandom pool, that is initialized only once… so every time you start an image you get the EXACT same random seed... I think this is stupid, and I am not sure what are the security implications of this (e.g. when opening an SSL connection… having fixed world-wide initial seed seems like an awful, awful idea), but whatever…
So instead I tried to explicitly specify the Random generator… which I can do
while true; dopharo-vm --nodisplay latest.image --no-default-preferences eval '10 atRandom: Random new'done55555
Still not random… what?
while true; dopharo-vm --nodisplay latest.image --no-default-preferences eval 'Random new instVarNamed: #seed'done426306047426305545426305546426306010
So the seed is different but thanks to the magic of masking the seed, I always get the same first several bits… thus the same result for small numbers.
So if I actually want what seems like a random value… I have to at least once run the generator…
while true; dopharo-vm --nodisplay latest.image --no-default-preferences eval '10 atRandom: (Random new next; yourself)'done734967
Once I start to use it the properties of the algo kick in so it's pseudo-random… but I need to run it once to initialize it, which is wtf.
My questions:1) do we really want to have global fixed seed?2) Random new should actually setup a usable seed so I don't need to first run it N times before I can use the value3) Should we switch to what UUIDGenerator is using… reading /dev/urandom for the initial seed setup?
Peter
_______________________________________________
Cryptography mailing list
Cryptography@lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography