math/rand: warn against using package for security-sensitive work

Urge users of math/rand to consider using crypto/rand when doing
security-sensitive work.

Related to issue #11871. While we haven't reached consensus on how
to make the package inherently safer, everyone agrees that the docs
for math/rand can be improved.

Change-Id: I576a312e51b2a3445691da6b277c7b4717173197
Reviewed-on: https://go-review.googlesource.com/12900
Reviewed-by: Rob Pike <r@golang.org>

diff --git a/src/math/rand/rand.go b/src/math/rand/rand.go
index 3ffb5c4e5c64d2062e448e028146028aed940693..6360128e3916ad9195b0064961b6cfd384bb86ef 100644 (file)
--- a/src/math/rand/rand.go
+++ b/src/math/rand/rand.go
@@ -9,6 +9,9 @@
 // sequence of values each time a program is run. Use the Seed function to
 // initialize the default Source if different behavior is required for each run.
 // The default Source is safe for concurrent use by multiple goroutines.
+//
+// For random numbers suitable for security-sensitive work, see the crypto/rand
+// package.
 package rand
 
 import "sync"