Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Policy on new PRNGs #464

Closed
pitdicker opened this issue May 17, 2018 · 10 comments
Closed

Policy on new PRNGs #464

pitdicker opened this issue May 17, 2018 · 10 comments

Comments

@pitdicker
Copy link
Contributor

In the past couple of weeks it was suggested to include some very new PRNGs in Rand, like a fast key-erasure AES variant, Xoshiro, and Randen.

New PRNG designs are created frequently, possibly monthly. Some come with a paper, others are a github repro and/or a blog post. The author will write something praising the highlights, having designed it to the best of his abilities. People get excited about it, and may want to add it to Rand directly.

It will take longer before others, equally or more knowledgeable than the author, can have a good look at it. Many PRNGs, both normal but especially CSPRNGs, don't make it through the 'second round'.

That is why, as a policy, I would propose to not accept any PRNGs in Rand that haven't yet build up some kind of good track record.

@vks
Copy link
Collaborator

vks commented May 17, 2018

I understand the motivation for this, but why exactly is your proposal? "Build up some kind of good track record" is vague and hardly enforceable.

@pitdicker
Copy link
Contributor Author

Yes, it is a bit vague, but I think it is really not that hard to get an idea about in practice.

For normal PRNGs it means not only the author should speak well of it, but also others in the field.

For CSPRNGs there should be at least one comprehensive paper but preferably multiple papers reviewing its security, besides the paper from the author. And there should be at least one reputable organization or company adapting it.

@dhardy
Copy link
Member

dhardy commented May 17, 2018

Sounds sensible, if still a little vague. Perhaps we should add a "new features" section to Contributing.

You're right; having a standard response to suggestions to add very new RNGs makes sense.

However, we should have some kind of tracker for (a) interesting RNGs which are too young to warrant investigation, (b) RNGs under investigation (i.e. an open issue), (c) RNGs adopted into Rand, and (d) RNGs rejected after investigation. Possibly this could be an issue or an 'md' document in the repo.

@burdges
Copy link
Contributor

burdges commented May 17, 2018

All the PRNGs will live in separate crates anyways, right? If so, the question becomes if those crates live in the rand repository or elsewhere, right?

If folks want several young PRNG crates in one repository then I'll suggest the name rand-young, which might provide a nice place for discussion, collaboration, etc.

@pitdicker
Copy link
Contributor Author

If folks want several young PRNG crates in one repository then I'll suggest the name rand-young, which might provide a nice place for discussion, collaboration, etc.

Something to keep in mind, but that could also become quite a time sink. I don't think we should start such a crate any time soon.

@dhardy
Copy link
Member

dhardy commented May 28, 2018

I added a policies section to the wiki: https://github.com/rust-lang-nursery/rand/wiki/Policies

@dhardy dhardy closed this as completed May 28, 2018
@vks
Copy link
Collaborator

vks commented May 28, 2018

What does "formally published" mean? Does this require publication in a peer-reviewed journal or is a blog post enough? Similarly, what makes third-party review significant?

@dhardy
Copy link
Member

dhardy commented May 28, 2018

In my opinion, "formal publication" means publication of an article by the author introducing and discussing the subject, and comparing to existing alternatives. This could be a journal article or simply a blog post, but should include significant discussion. For example the Randen repo has only minimal introduction and discussion and does not meet our requirement; I'm hoping we see a proper article on this generator later.

Significant third-party review is a bit harder to formally define in my opinion 😄

@jan-wassenberg
Copy link

The Randen paper is now online :) https://arxiv.org/abs/1810.02227
We welcome any comments/discussion.

@dhardy
Copy link
Member

dhardy commented Oct 5, 2018

Thanks! I cross-posted to #299.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants