The documentation really isn't helping things either.
https://doc.qt.io/qt-6/qrandomgenerator.html
From the intro: "QRandomGenerator::securelySeeded() can be used to create a QRandomGenerator that is securely seeded with QRandomGenerator::system(), meaning that the sequence of numbers it generates cannot be easily predicted. Additionally, QRandomGenerator::global() returns a global instance of QRandomGenerator that Qt will ensure to be securely seeded." And then later, reading about QRandomGenerator::global(), it starts by saying, "Returns a pointer to a shared QRandomGenerator that was seeded using securelySeeded()."
Sounds great, like we should just use QRandomGenerator::global() for everything, right? Wrong. It turns out QRandomGenerator::system() is the one that uses 1,2,3,4,5,(6godforbid) in my email above. QRandomGenerator::global(), on the contrary uses "std::mersenne_twister_engine<quint32,32,624,397,31,0x9908b0df,11,0xffffffff,7,0x9d2c5680,15,0xefc60000,18,1812433253>".
So then you keep reading the documentation and it mentions that ::system() is "to access the system's cryptographically-safe random generator." So okay maybe if you're really up with the lingo, you'll know to use that. But to your average reader, what's the difference between "securely seeded" and "system's cryptographically-safe random number generator"? And even to me, I was left wondering what exactly was securely seeded before I looked at the source. For example, OpenBSD's arc4random securely seeds a chacha20 instance in libc before proceeding. That's a lot different from std::mersenne_twister_engine!
I was looking for uses of ::system() on my laptop so that I could verify the behavior described in my last email dynamically, when I came across this from my favorite music player (author CC'd): https://github.com/strawberrymusicplayer/strawberry/blob/master/src/utilitie...
QString CryptographicRandomString(const int len) { const QString UseCharacters(u"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"_s); return GetRandomString(len, UseCharacters); } QString GetRandomString(const int len, const QString &UseCharacters) { QString randstr; for (int i = 0; i < len; ++i) { const qint64 index = QRandomGenerator::global()->bounded(0, UseCharacters.length());
Using ::global() for something "cryptographic". I don't blame the author at all! The documentation is confusing as can be.
And this is all on top of the fact that ::system() is pretty mucky, as described in my last email.
Jason