cvs commit: src/games/fortune/strfile strfile.c

Andrey Chernov ache at
Fri Aug 8 06:32:14 UTC 2008

On Fri, Aug 08, 2008 at 12:21:50AM -0600, M. Warner Losh wrote:
> This does beg the question why we need cryptographically secure
> randomness for fortune, however...

1) PRNG is not crypto.

2) We already have it "cryptographically" secure via randomdev() for a 
long time in anycase.

3) Any code which use something like (...random() % modulo) when modulo is 
not divider of ...random()'s max suffer well known "modulo bias" bug which 
is not crypto but bad math and there is the main problem.

4) Uniformly distributed PRNG to avoid "modulo bias" bug available only 
for arc4random() at this time (making the same for random() involves too 
much math).

5) This changes comes from OpenBSD.


More information about the cvs-all mailing list