On Friday 05 December 2014 18:12:59 Jérémie Courrèges-Anglas wrote: > Hi, > > Tim Rühsen <[email protected]> writes: > > Am Mittwoch, 3. Dezember 2014, 12:36:33 schrieb Jérémie Courrèges-Anglas: > >> Hi, > >> > >> Giuseppe Scrivano <[email protected]> writes: > >> > >> [...] > >> > >> > we should also hide --rand-egd from wget --help and do not accept this > >> > option when HAVE_RAND_EGD is not set. > >> > >> I thought about that and took the lazy approach: the option is still > >> available even if gnutls is used, even though it's a nop. Why then > >> change the interface if libressl is used instead of openssl/gnutls? > >> > >> Or maybe this was merely overlooked and openssl should really be > >> a special case here, dunno. > > > > IMHO, we should accept --rand-egd to not introduce regressions. > > But instead of silently ignoring the users demand, we should print a > > warning about the LibreSSL/RAND_egd() issue. > > LibreSSL doesn't have any issue wrt RAND_egd(). This function was > deleted on purpose. > > > Maybe saying, that a modern /dev/random > > is more secure than the EGD ? > > > > It would not be nice if someone loses security without being warned. > > LibreSSL users won't lose anything. LibreSSL does the right thing wrt > RNG initialization, consumer applications don't need to mess with this. > > If you *really* want to print a warning message for LibreSSL users > please make it rude. :) > > >> Or... another alternative would be to get rid of RAND_egd altogether, > >> with --egd-file staying for compat for a few releases. :) > > > > The question here is, where and in which way is EGD still useful !? > > Maybe it is already obsolete on very most systems ? > > We should keep this in mind for 1.17+. > > Looking at the openssl code, it looks like egd is automatically queried > - since 2001 - if /dev/*random didn't return enough bytes. See > rand_unix.c > > Your call... I wouldn't bother about that stuff in your place.
Thanks for your contribution. I pushed your patch together with some little changes around it (different commits). Tim
signature.asc
Description: This is a digitally signed message part.
