Phobos randomUUID is not suitable to generate secrets
schveiguy at gmail.com
Sun Sep 6 01:17:59 UTC 2020
On 9/5/20 6:41 AM, Johannes Pfau wrote:
> Unfortunately, we can not silently replace this overload to use a secure
> RNG: On linux, would we use random or urandom? And the system rng can
> block on low entropy, which could cause regressions in some applications.
> Also some applications (like vibe.d) would probably rather block a fiber
> than a thread, which complicates things more.
1. The default should be changed, even if it's not as performant. There
is no promise about randomUUID's performance.
2. vibe.d does not depend on this, so there are no worries about
blocking a thread.
More information about the Digitalmars-d