Re: Random not so random

Harald Fuchs <hf0722x@protecting.net> writes:
>> Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>>> It might improve matters to make the code do something like
>>>> srandom((unsigned int) (now.tv_sec ^ now.tv_usec));

> I think we don't need the randomness provided by /dev/[u]random.  How
> about XORing in getpid?

That sounds like a fine compromise --- it'll ensure a reasonable-size
set of possible seeds, it's at least marginally less predictable than
now.tv_sec, and it's perfectly portable.  No one in their right mind
expects random(3) to be cryptographically secure anyway, so doing more
doesn't seem warranted.

The various proposals to create a more-secure, less-portable variant
of random() don't seem appropriate to me for beta.  But I'd not object
to someone whipping up a contrib module for 8.1 or beyond.

            regards, tom lane