New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: math/rand: disambiguate Read from crypto/rand.Read #20661
Comments
We can't change this for Go 1, so I've tagged this for Go2 for consideration in the future. |
You can always do
That at least makes it clearer at the callsite what you intended. |
@bradfitz - makes sense; is there a warning capability in the Go 1 compiler? |
Intentionally not. See the https://golang.org/doc/faq#unused_variables_and_imports answer. |
Why can't we just add new alias functions with a suffix like Crypto e.g. ReadCrypto/NewCrypto/NewSourceCrypto/etc... That way we still have the 1.0 compatibility and makes it easier for people to make sure they are using the correct rand. |
I suppose we could, but we generally try to avoid having two ways to do the same thing. |
Well I'm not in the affected group so I'll let you guys debate if the pros outweigh the cons. But I can imagine some company having a security vulnerability cause of some late night coding where someone auto imported math/rand instead of crypto/rand. |
Your security vulnerability scenario involves all of the following failures:
It's possible, but it's a bit of a stretch. I don't think it warrants fixing in Go 1.x where it can't be changed cleanly. In the meantime, file bugs against any auto-import tools that get it wrong. |
Also: tools like gas (https://github.com/GoASTScanner/gas) already catch this. |
I don't think we should change the name of the |
What version of Go are you using (
go version
)?1.7.3
What operating system and processor architecture are you using (
go env
)?all
What did you do?
I wrote https://play.golang.org/p/WpSHEv_Mc7
I should have written https://play.golang.org/p/Ho8Ior-om7
In practice, the import statement and the function invocation are not one line apart, but separated by a lot of code. Also, IDEs may automatically import the wrong package.
What did you expect to see?
I expected crypto rand to be obviously different than math rand. Something like:
while,
This makes it super clear that one is not like the other, and helps the developer decide which to use. Also helps code reviewers determine if there is an obvious error.
Security should be explicit.
What did you see instead?
I saw experienced and inexperienced developers both make the same mistake of using math/rand instead of crypto/rand, and code reviews miss the problem.
The text was updated successfully, but these errors were encountered: