Re: Porting issue with openssl and no /dev/random
От | Bruno Wolff III |
---|---|
Тема | Re: Porting issue with openssl and no /dev/random |
Дата | |
Msg-id | 20011030094945.A32446@cerberus.csd.uwm.edu обсуждение исходный текст |
Ответ на | Re: Porting issue with openssl and no /dev/random (Tom Lane <tgl@sss.pgh.pa.us>) |
Список | pgsql-bugs |
On Tue, Oct 30, 2001 at 10:13:27AM -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Bruno Wolff III <bruno@cerberus.csd.uwm.edu> writes: > > It looks like they consider not running without seeding the PRNG a feature > > and that this isn't something likely to change soon. > > One man's feature is another man's bug, I'd say. How can they consider > it a good decision to leave it to the application to solve this problem? > Especially when they *do* solve the seeding problem on some platforms? > Their stance is completely inconsistent. If they're concerned about > preventing use of predictable seeds, the last thing they should want to > do is allow a surrounding application to apply a sloppy solution (like > the constant seed you just suggested). They should think of the best > solution they can, and embody it in their library. There is *no* chance > that an application developer is going to invent a better way on the > spur of the moment, and every chance that he'll blow a mile-wide hole > in the security of their library. In some sense the real problem is that tru64 unix doesn't have a /dev/random device. This should really be a standard feature in all unix like systems. I can see from your point of view that their library is broken. It would probably make the most sense to pick some initialization method(s) when building openssl rather than using a platform independent list to try out at run time. Maybe a note could get tacked on to the INSTALL information for enabling ssl to warn people that there might be issues if they are using openssl and their system doesn't have a /dev/random device?
В списке pgsql-bugs по дате отправления: