From ben@linuxgazette.net

Created by ben@linuxgazette.net

"perldoc -f srand" (and consequently, perlfunc.pod) contains the following​:

``
  Note that you need something much more random than the default
  seed for cryptographic purposes. Checksumming the compressed
  output of one or more rapidly changing operating system status
  programs is the usual method. For example​:

  srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`);
''

The problem is that 'ps axww | gzip' returns the same output every time, at
least on my system​:

``
ben@​Tyr​:~$ ps axww|gzip
gzip​: compressed data not written to a terminal. Use -f to force compression.
For help, type​: gzip -h
''

The solution suggested in the error message (i.e., 'ps axww | gzip -f')
works fine.

Best regards,
Ben Okopnik
-=-=-=-=-=-

Flags:
    category=docs
    severity=low

Site configuration information for perl v5.8.7:

Configured by Debian Project at Fri Dec 16 07:58:13 UTC 2005.

Summary of my perl5 (revision 5 version 8 subversion 7) configuration:
  Platform:
    osname=linux, osvers=2.6.8.1, archname=x86_64-linux-gnu-thread-multi
    uname='linux yellow 2.6.8.1 #1 smp mon jul 18 14:11:24 utc 2005 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.7 -Dsitearch=/usr/local/lib/perl/5.8.7 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.7 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=define uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.0.3 20051204 (prerelease) (Ubuntu 4.0.2-5ubuntu2)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/libc-2.3.5.so, so=so, useshrplib=true, libperl=libperl.so.5.8.7
    gnulibc_version='2.3.5'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962


@INC for perl v5.8.7:
    /etc/perl
    /usr/local/lib/perl/5.8.7
    /usr/local/share/perl/5.8.7
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.8
    /usr/share/perl/5.8
    /usr/local/lib/site_perl
    .


Environment for perl v5.8.7:
    HOME=/home/ben
    LANG=en_US.UTF-8
    LANGUAGE=en
    LD_LIBRARY_PATH=/usr/lib32/xorg:/usr/lib64/xorg
    LOGDIR (unset)
    PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/games:/usr/local/games:/home/ben/games/battalion:/var/svn/linuxgazette.net/bin
    PERLDOC=-otext
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @rgs

On 03/10/2007, via RT ben @​ linuxgazette. net <perlbug-followup@​perl.org> wrote​:

"perldoc -f srand" (and consequently, perlfunc.pod) contains the following​:

``
Note that you need something much more random than the default
seed for cryptographic purposes. Checksumming the compressed
output of one or more rapidly changing operating system status
programs is the usual method. For example​:

  srand \(time ^ $$ ^ unpack "%L\*"\, \`ps axww | gzip\`\);

''

The problem is that 'ps axww | gzip' returns the same output every time, at
least on my system​:

``
ben@​Tyr​:~$ ps axww|gzip
gzip​: compressed data not written to a terminal. Use -f to force compression.
For help, type​: gzip -h
''

The solution suggested in the error message (i.e., 'ps axww | gzip -f')
works fine.

Thanks, I've updated the docs accordingly.

@rgs - Status changed from 'new' to 'resolved'

The RT System itself - Status changed from 'new' to 'open'

From ben@morrow.me.uk

Quoth perl5-porters@​perl.org​:

"perldoc -f srand" (and consequently, perlfunc.pod) contains the following​:

``
Note that you need something much more random than the default
seed for cryptographic purposes. Checksumming the compressed
output of one or more rapidly changing operating system status
programs is the usual method. For example​:

  srand \(time ^ $$ ^ unpack "%L\*"\, \`ps axww | gzip\`\);

''

The problem is that 'ps axww | gzip' returns the same output every time, at
least on my system​:

``
ben@​Tyr​:~$ ps axww|gzip
gzip​: compressed data not written to a terminal. Use -f to force compression.
For help, type​: gzip -h
''

This is only the case if gzip's stdout is a terminal (as it says). If
gzip is writing to a pipe (as it is in the srand docs) it is perfectly
happy, at least on my system​:

  ~% ps axww | gzip | cat
  # gzip output

Ben

From nospam-abuse@bloodgate.com

Moin,

On Thursday 04 October 2007 00​:06​:13 Ben Morrow wrote​:

Quoth perl5-porters@​perl.org​:

"perldoc -f srand" (and consequently, perlfunc.pod) contains the
following​:

``
Note that you need something much more random than the default
seed for cryptographic purposes. Checksumming the compressed
output of one or more rapidly changing operating system status
programs is the usual method. For example​:

  srand \(time ^ $$ ^ unpack "%L\*"\, \`ps axww | gzip\`\);

''

The problem is that 'ps axww | gzip' returns the same output every
time, at least on my system​:

``
ben@​Tyr​:~$ ps axww|gzip
gzip​: compressed data not written to a terminal. Use -f to force
compression. For help, type​: gzip -h
''

This is only the case if gzip's stdout is a terminal (as it says). If
gzip is writing to a pipe (as it is in the srand docs) it is
perfectly happy, at least on my system​:

~% ps axww | gzip | cat
\# gzip output

The same on SuSE 10.1. In addition we should note that the documented
method to seed rand() is very poor - at least on my system the
following holds​:

  time can be easily guessed - even if you guess it only to the hour you
  end up with only 3600 different values (e.g. less than 16 bit)
  $$ is only 16 bit
  the result of unpack("%L*") somehow returns only 16 bit

And since the expression just blindly XORs these bit together, you
basically end up with no more than 16 bit that vary for your seed.
Oops.

All the best,

Tels

PS​: First email from Kubuntu 7.04 64 bit. Never, ever, touch a running
system, even if it is just to upgrade the CPU from single to
dual-core...anybody interested can hear my tale of woe...

--
Signed on Fri Oct 5 18​:33​:27 2007 with key 0x93B84C15.
View my photo gallery​: http​://bloodgate.com/photos
PGP key on http​://bloodgate.com/tels.asc or per email.

"If you want to travel around the world and be invited to speak at a
lot of different places, just write a Unix operating system."

  -- Linus Torvalds

From @jkeenan

On Tue Oct 02 21​:33​:49 2007, ben@​linuxgazette.net wrote​:

This is a bug report for perl from ben@​linuxgazette.net,
generated with the help of perlbug 1.35 running under perl v5.8.7.

-----------------------------------------------------------------
[Please enter your report here]

"perldoc -f srand" (and consequently, perlfunc.pod) contains the
following​:

``
Note that you need something much more random than the default
seed for cryptographic purposes. Checksumming the compressed
output of one or more rapidly changing operating system status
programs is the usual method. For example​:

  srand \(time ^ $$ ^ unpack "%L\*"\, \`ps axww | gzip\`\);

''

The problem is that 'ps axww | gzip' returns the same output every
time, at
least on my system​:

``
ben@​Tyr​:~$ ps axww|gzip
gzip​: compressed data not written to a terminal. Use -f to force
compression.
For help, type​: gzip -h
''

The solution suggested in the error message (i.e., 'ps axww | gzip
-f')
works fine.

In blead, it appears that pod/perlfunc.pod's section on srand() has been
substantially rewritten, such that neither the language which the OP was
criticizing nor what replaced it can be found.

Is there any reason to keep this ticket open?

Thank you very much.
Jim Keenan

From @ikegami

On Thu, May 3, 2012 at 10​:03 PM, James E Keenan via RT <
perlbug-followup@​perl.org> wrote​:

In blead, it appears that pod/perlfunc.pod's section on srand() has been
substantially rewritten, such that neither the language which the OP was
criticizing nor what replaced it can be found.

Is there any reason to keep this ticket open?

The passage with deleted, not replaced. The docs say what not to do, but
not what it should do (say after a fork()). What should one do?

- Eric

From @ikegami

On Thu, May 3, 2012 at 10​:17 PM, Eric Brine <ikegami@​adaelis.com> wrote​:

On Thu, May 3, 2012 at 10​:03 PM, James E Keenan via RT <
perlbug-followup@​perl.org> wrote​:

In blead, it appears that pod/perlfunc.pod's section on srand() has been
substantially rewritten, such that neither the language which the OP was
criticizing nor what replaced it can be found.

Is there any reason to keep this ticket open?

The passage with deleted, not replaced. The docs say what not to do, but
not what it should do (say after a fork()). What should one do?

oh, call srand() with no args? Maybe something to that effect should be
included?

=Frequently called programs (like CGI scripts) that simply use

= time ^ $$

=for a seed can fall prey to the mathematical property that

= a^b == (a+1)^(b+1)

=one-third of the time. So don't do that.
+If you need a new seed (e.g. in a child created by L</fork>),
+call C<srand> with no arguments.

From @dcollinsn

This looks like an easy docs ticket with some suggested language already. Anyone have a small tuit to close this out?

--
Respectfully,
Dan Collins

From [Unknown Contact. See original ticket]

This looks like an easy docs ticket with some suggested language already. Anyone have a small tuit to close this out?

--
Respectfully,
Dan Collins

From @mauke

On Sat Jul 16 16​:13​:19 2016, dcollinsn@​gmail.com wrote​:

This looks like an easy docs ticket with some suggested language
already. Anyone have a small tuit to close this out?

Language to that effect was added in 2010 by commit d460397, so I'm closing this ticket.

@mauke - Status changed from 'open' to 'resolved'