I have been meaning to chime in on this thread since it was first posted, but have been either too busy or too exhausted or both, and I’m not sure I read all of the various proposals that are floating around, so I apologize if this repeats anything.
The main thing I want to say is that I understand why people like @Lokathor want to avoid getting into the question of whether their design is sound for cryptographic applications — but, I think it’s vital that the default primitive random number generator, the one you get if you don’t do anything special, is an automatically-seeded CSPRNG. This is because people will reach for the equivalent of C’s
rand(3) in situations where they need a CSPRNG but don’t realize it, such as generation of HTTP session cookies. Yes, there are better ways to generate HTTP session cookies, but if the
rand-equivalent is an auto-seeded CSPRNG, the low bar goes from “catastrophically insecure” to “nontrivial to exploit,” and that’s valuable. Relatedly, there’s reasonably strong evidence that the simulation people should be using CSPRNGs, whether they realize it or not. And I have it from people who have actually implemented CSPRNGs that the state of the art can be as fast, on an amortized basis, as a linear congruential generator(!) so there’s really no reason not to go for cryptographic soundness.
So without getting into the argument over user-space versus operating system RNGs, or reseeding, or whatever (I have opinions about those too, but my parking meter’s about to expire) the fundamental split between “generate random bits” and “generate picks from a distribution” seems sound, and borrowing C++'s notion of pluggable generators also seems sound, but I would banish all non-cryptographic algorithms to a
historic_rng crate or something, clearly labeled “use only to reproduce old results,” and I would also make you have to work at it to supply your own random seed.
The other thing I want to mention right now is that, according to an unpublished 2007 manuscript, everyone generates random floating-point numbers in the half-open interval