Update the documentation for rand() to note that it's not

cryptographically secure due to concerns that end-users are unaware of
this and use it in situations where security depends on the strength of
the randomness generated.

I'd have been happier getting this patch in earlier in the cycle.
We'd hoped to replace the RNG, but that didn't happen in time, so this
doc update is the "better, still not good" fallback.

diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod
index f6fef97..26b8949 100644 (file)
--- a/pod/perlfunc.pod
+++ b/pod/perlfunc.pod
@@ -4578,6 +4578,13 @@ returns a random integer between C<0> and C<9>, inclusive.
 large or too small, then your version of Perl was probably compiled
 with the wrong number of RANDBITS.)
 
+B<C<rand()> is not cryptographically secure.  You should not rely
+on it in security-sensitive situations.>  As of this writing, a
+number of third-party CPAN modules offer random number generators
+intended by their authors to be cryptographically secure,
+including: L<Math::Random::Secure>, L<Math::Random::MT::Perl>, and
+L<Math::TrulyRandom>.
+
 =item read FILEHANDLE,SCALAR,LENGTH,OFFSET
 X<read> X<file, read>