Update the documentation for rand() to note that it's not

cryptographically secure due to concerns that end-users are unaware of this and use it in situations where security depends on the strength of the randomness generated. I'd have been happier getting this patch in earlier in the cycle. We'd hoped to replace the RNG, but that didn't happen in time, so this doc update is the "better, still not good" fallback.
author: Jesse Vincent <jesse@bestpractical.com> 2011-04-19 23:53:07 +1000
committer: Jesse Vincent <jesse@bestpractical.com> 2011-04-20 00:39:08 +1000
commit: 9700c45b7e3bd512c56a8c3607f53e73245de6db (patch)
tree: d336cd81be30566931b59cf4b5c42b6a049fa6b9
parent: f3fd521e97e17e487d338c4534dfc6b72ddb4e06 (diff)
download: perl-9700c45b7e3bd512c56a8c3607f53e73245de6db.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod
index f6fef97219..26b89499a2 100644
--- a/pod/perlfunc.pod
+++ b/pod/perlfunc.pod
@@ -4578,6 +4578,13 @@ returns a random integer between C<0> and C<9>, inclusive.
 large or too small, then your version of Perl was probably compiled
 with the wrong number of RANDBITS.)
 
+B<C<rand()> is not cryptographically secure.  You should not rely
+on it in security-sensitive situations.>  As of this writing, a
+number of third-party CPAN modules offer random number generators
+intended by their authors to be cryptographically secure,
+including: L<Math::Random::Secure>, L<Math::Random::MT::Perl>, and
+L<Math::TrulyRandom>.
+
 =item read FILEHANDLE,SCALAR,LENGTH,OFFSET
 X<read> X<file, read>
author	Jesse Vincent <jesse@bestpractical.com>	2011-04-19 23:53:07 +1000
committer	Jesse Vincent <jesse@bestpractical.com>	2011-04-20 00:39:08 +1000
commit	9700c45b7e3bd512c56a8c3607f53e73245de6db (patch)
tree	d336cd81be30566931b59cf4b5c42b6a049fa6b9
parent	f3fd521e97e17e487d338c4534dfc6b72ddb4e06 (diff)
download	perl-9700c45b7e3bd512c56a8c3607f53e73245de6db.tar.gz