Replace fastrand with getrandom and base64
#188
Conversation
- Instead of setting up a predictable userspace RNG, we get unpredictable random bytes directly from the OS. This fixes Stebalien#178. - To obtain a uniformly distributed alphanumeric string, we convert the the random bytes to base64 and throw away any letters we don't want (`+` and `/`). With a low probability, this may result in obtaining too few alphanumeric letters, in which case we request more randomness from the OS until we have enough. - Because we cannot control the seed anymore, a test manufacturing collisions by setting the same seed for several threads had to be removed.
|
Wouldn't using the URL-safe Base64 alphabet avoid the issues with |
|
|
Hm. It also looks like we have a gap in our CI (#189). We should at least build on WASM (without WASI), even if we can't actually create temporary files. |
I guess the question here is: are we worse off? I haven't taken a look at rand or fastrand, they may have the same early-boot issue.
Basically, people tend to look at dependencies with skepticism. It's a small dependency, but it's still yet another thing to audit (and having a temporary file library depend on it is a bit strange). |
Fastrand seeds its RNG initially with the thread id and Instant::now. It does not use any other forms of entropy. Stracing I can't quite figure out where the call to NONBLOCK is coming from. Checking the docs, rand does seem problematic to use in early boot.
(https://docs.rs/rand/0.8.5/rand/rngs/struct.OsRng.html) And OsRng is what rand's default RNG uses (as a base source of entropy) In any case, if we can't get entropy at all, or if getrandom fails, then we'd need to fallback to... Current time and thread id, I suppose? So, keep on using fastrand, or roll our own generation. |
tests/namedtempfile.rs
Outdated
|
|
||
| #[cfg(unix)] | ||
| #[test] | ||
| fn test_make_uds_conflict() { |
There was a problem hiding this comment.
This test can presumably still exist, but less deterministically, by setting the rand_bytes to 1, then trying to generate 62 files. (Which will require that some of the threads retry unless they all get incredibly lucky, which won't happen).
I'd also use a https://doc.rust-lang.org/std/sync/struct.Barrier.html inside the thread but before the generation, to ensure they all wait until everyone's ready, so that if thread spawning is slower than file generation, it's not just sequential.
There was a problem hiding this comment.
This is possible, but the number of retries will no longer be deterministic.
|
@Stebalien Would you be ok with a base64 alphabet (e.g. by adding I can get rid of the |
Couldn't such a special application generate its own random file name? |
I want to stick to alpha-numeric (least surprise).
Not really. I really don't want to limit the use-cases of this library. But this is getting significantly more complicated than I had anticipated. It feels like we're basically re-inventing the I have limited time for the next few weeks, but I'm going to think about this a bit and come back to you. |
+and/). With a low probability, this may result in obtaining too few alphanumeric letters, in which case we request more randomness from the OS until we have enough.