spire icon indicating copy to clipboard operation
spire copied to clipboard
verified publisher icon typelevel

SecureJava should not take a seed

Open wsargent opened this issue 9 years ago • 2 comments

SecureJava has an option to pass a seed through to SecureRandom initially:

  def fromBytes(bytes: Array[Byte]): SecureJava =
    new SecureJava(new SecureRandom(bytes))

https://github.com/non/spire/blob/master/core/shared/src/main/scala/spire/random/rng/SecureJava.scala#L23

new SecureRandom(seed) is generally considered to be unsafe and non-portable: see http://stackoverflow.com/a/12251473/5266 for details. Ideally it should be deprecated and removed.

wsargent avatar Jan 11 '16 00:01 wsargent

This seems pretty uncontroversial.

rklaehn avatar Jan 11 '16 17:01 rklaehn

@wsargent we have deprecated it for now. Leaving this open so we don't forget to remove it.

rklaehn avatar Jan 12 '16 09:01 rklaehn