Thread: gen_random_uuid random source clarification

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/17/functions-uuid.html
Description:

In reference to the documentation for gen_random_uuid at:
https://www.postgresql.org/docs/17/functions-uuid.html
It would be good to add a comment about the quality/suitability of the
random bits generated.
The function internally traces back to pg_strong_random, with this source
code comment:
https://github.com/postgres/postgres/blob/8969194b73dbc9642a0302225f686f9febd95c90/src/port/pg_strong_random.c#L30
"The returned bytes are cryptographically secure, suitable for use e.g. in
authentication."
It would be good to add a similar comment to the doc page for
gen_random_uuid for clarity.
Technically speaking, the UUID4 spec dictates that a random UUID "SHOULD"
use a cryptographically secure source, but does not make it mandatory and
suggests that a less secure source can be used as a fallback when CSPRNG is
not available:
https://datatracker.ietf.org/doc/html/rfc9562#name-unguessability
Therefore I think it is valuable to note that gen_random_uuid *always*
relies on a secure source, and will fail when no secure source is available
rather than using a fallback (at least, that is my understanding based on a
quick scan of the source code).