On Fri, Apr 24, 2026 at 13:15 +0800, Kevin J. McCarthy wrote:
For the sizes of data mutt typically requests, getrandom() should
never fail, but nonetheless add code to make it retry on interrupt,
and fall back to the built-in PRNG only if it has to.
That code looks reasonable.
This version switches to using ssize_t for the length parameter and
result from getrandom(), and thus doesn't have any unsafe casts.
Good for getrandom() return value, but why for its length argument?
That argument is type size_t (at least on my system), and it comes from
an argument to mutt_random_bytes() that's also size_t.
Only other use I see is
requested -= result;
Whether requested is signed only matters if either variable has wrapped
around into negative[1], and in that case I don't see any good result
of that subtraction either way.
[1] Only possible, I guess, if the length argument to
mutt_random_bytes() is monstrously huge.
