[pgpool-hackers: 4592] Re: Shuffle random functions and use better random numbers

Tatsuo Ishii ishii at postgresql.org
Mon May 12 10:51:23 JST 2025 

> Hello all,
> 
> After my previous string diff, this is the final linker warning on
> OpenBSD:
> ld: warning: pool_pg_utils.c(protocol/pool_pg_utils.o:(select_load_balancing_node)): warning: random() may return deterministic values, is that what you want?                                                     
>
> Fumbling around in cryptography/random numbers is never a good idea,
> unless you know what you're doing.

> So I fully expect this diff to be
> just a conversation starter.

Thanks for the patches. After reading them. I visited PostgreSQL
source code and found followings.

- Our PostmasterRandmon() was imported from PostgreSQL long time ago
  (2016). In the same year PostgreSQL replaced PostmasterRandmon()
  with pg_strong_random().(src/port/pg_strong_random.c.
  pg_strong_random() looks better than PostmasterRandmon(), since it's
  more secure and portable. Moreover no initialization is necessary.

- PostgreSQL introduced Pseudo-Random Number Generator in 2021
  (src/common/pg_prng.c). In the commet:

 * Pseudo-Random Number Generator
 *
 * We use Blackman and Vigna's xoroshiro128** 1.0 algorithm
 * to have a small, fast PRNG suitable for generating reasonably
 * good-quality 64-bit data.  This should not be considered
 * cryptographically strong, however.
 *
 * About these generators: https://prng.di.unimi.it/
 * See also https://en.wikipedia.org/wiki/List_of_random_number_generators

 This is used for SQL functions in PostgreSQL. Looks pretty portable
 and maybe faster than standard random() function in some
 platforms. One bonus is, your select_rand_weight() is already
 implemneted in it: pg_prng_double().

Probably we should import pg_strong_random.c and pg_prng.c, then
change pgpool to use pg_strong_random() for generating salts,
pg_prng_double() for generating random number between 0 and 1.0.

What do you think?
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp

More information about the pgpool-hackers mailing list