Russ,
1) DISABLING BY DEFAULT: Many thanks for the feedback, I never thought
of this issue! I did already put checkboxes to disable it (1) in the
menu options, and (2) in the window that asks whether to go to the gnubg
website to upgrade.
The problem of disabling it by default is that the vast majority of
users won't look for it in the options and will stay with old gnubg
versions.
How about the following idea: It is disabled by default, as you
suggested. We record the day that the user starts using a given version
of gnubg. Then, 1-2 months later, gnubg asks the user whether to enable
the feature and automatically look online for updates? So it's opt-in
rather than opt-out, but with a one-time nagging.
2) RANDOM DICE: For the record, it looks like the default random number
generator relies on Mersenne (dice.c, line 75), so it doesn't go online.
Mersenne uses some genrand_int32 function (cf. RollDice function in
dice.c), which seems to be an implementation from 1997-2002 in
lib/19937ar.c
It seems that it has been updated online in 2011
(http://www.math.sci.hiroshima-u.ac.jp/m-mat/MT/emt.html), if someone
wants to introduce that in gnubg.
Gnubg could also implement urandom, but then this would be
platform-specific. It seems that Windows has something as well:
https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom
Developing platform-dependent functions sounds like extra work, but I am
no expert, so anyone should feel free to introduce it if it looks like a
needed feature.
Thanks,
- Isaac
On 17-Feb-23 6:58 PM, Russ Allbery wrote:
Isaac Keslassy <[email protected]> writes:
In addition, (7) gnubg will automatically check is there is a newer
gnubg version online.
Would it be possible to provide a way for distribution packagers to set
the default for this option to disabled? Debian has users who are
extremely sensitive to software reporting their activities to anywhere on
the Internet without their explicit consent, so we have a general
distribution policy to not enable checks like this by default. (There is
unfortunately no way that I know of to check for a newer version without
telling some server that someone just ran gnubg.)
(That reminds me that I think gnubg is probably also using random.org by
default and probably should use /dev/urandom by default instead on
Debian.)
I'd of course document this change and explain how to turn it back on for
anyone who wants it.
--
Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
External e-mail, be judicious when opening attachments or links
