Yet another thing. Where do you see that Go and Swift have secure random as a keyword? Searching for "golang random" gives the math/rand package as
---------- Forwarded message ---------- From: Theo de Raadt Date: Wed, Sep 9, 2015 at 10:36 AM Subject: Re: getentropy, getrandom, arc4random() To: guido@python.org the
first hit, which has a note reminding the reader to use crypto/rand for security work.
yes, well, look at the other phrase it uses... that produces a deterministic sequence of values each time a program is run it documents itself as being decidely non-random. that documentation change happened soon after this event: https://lwn.net/Articles/625506/ these days, the one people are using is found using "go secure random" https://golang.org/pkg/crypto/rand/ that opens /dev/urandom or uses the getrandom system call depending on system. it also has support for the windows entropy API. it pulls data into a large buffer, a cache. then each subsequent call, it consumes some, until it rus out, and has to do a fresh read. it appears to not clean the buffer behind itself, probably for performance reasons, so the memory is left active. (forward secrecy violated) i don't think they are doing the best they can... i think they should get forward secrecy and higher performance by having an in-process chacha. but you can sense the trend. here's an example of the fallout.. https://github.com/golang/go/issues/9205
For Swift it's much the same -- there's an arc4random() in the Darwin package but nothing in the core language.
that is what people are led to use. -- --Guido van Rossum (python.org/~guido)