RNGCryptoServiceProvider offers unappropriate API

[rillig]

The RNGCryptoServiceProvider should have an API that provides all the convenience methods of the standard Random class. It looks ridiculous having an example code snippet that is 34 lines longer than necessary.

If there were a decorator class providing the NextInt functions for rolling a dice or selecting a random element from an array or collection, many of the Stack Overflow answers could be written with a reasonable amount of code. As it is now, there is actual danger of people using the secure random number generator and then forgetting about the bias, just because they don't want to copy and paste the boilerplate code from this example.

This boilerplate code should be implemented exactly once, in the .NET standard library, and not millions of times by inexperienced programmers in a hurry of meeting a deadline.

References:

• https://stackoverflow.com/a/1344255

[vcsjones]

GetInt32 was added to System.Security.Cryptography.RandomNumberGenerator and will be available in .NET Core 3 and .NET Standard 2.1. Does this provide the solution you were looking for?

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator.getint32?view=netcore-3.0

[rillig]

Partly. The documentation is still bloated. The documentation still needs to be adjusted to use this shiny new API. Having bloated code in the API documentation makes the API team look bad for no reason.

[danmoseley]

@bartonjs is going through our API docs I believe.

[danmoseley]

But @rillig you can just offer a PR : https://github.com/dotnet/dotnet-api-docs/blob/master/xml/System.Security.Cryptography/RNGCryptoServiceProvider.xml

[rillig]

@danmosemsft Thanks for the offer, but no. It's Microsoft's job to fix the documentation. And I don't write C#, Visual Basic and F# and assembly fluently to correct all of them. I strongly believe that these example snippets are all generated from a common template, otherwise this job would be really frustratingly boring and error-prone, and I cannot believe Microsoft is living that far in the past.

[owlstead]

@bartonjs I have created and tested a SecureRandom class that implements Random and takes a RandomNumberGenerator, if you're interested. Disadvantage: if functions rely on NextDouble() then you may not get a normal distribution; not evenly spread out and only 53 bits of mantissa.

[owlstead]

By the way, I'm trying to create an issue w.r.t. to this example: https://docs.microsoft.com/en-us/dotnet/api/system.random?view=net-5.0#generate-random-64-bit-integers which should be rewritten to use 8 random bytes and a conversion to long, but I don't know where. Sorry to put that here.

[vcsjones]

but I don't know where. Sorry to put that here.

If you mean an issue about the documentation itself, it should be filed in https://github.com/dotnet/dotnet-api-docs.

[danmoseley]

Or better still @owlstead you can offer a PR in dotnet-api-docs, which would get it fixed immediately. 😸

[owlstead]

@danmoseley I couldn't find the documentation page, so I went with the middle ground, raising an issue but with the code included.

[GrabYourPitchforks]

Transferred to dotnet/dotnet-api-docs#6997.