On Mon, 28 Apr 2014 16:52:10 +0000 (UTC), daThorsten Glaser wrote: > For their OpenSSL fork, specifically, they rely on some system > properties such as their RNG’s behaviour way too much [...]
I would think Linux and FreeBSD have much better PRNGs now than what has been done until now in OpenSSL. In case seeding from /dev/urandom is not trustworthy, OpenSSL is resorting to mixing in uninitialised blocks of memory, the time, private key exponents, digests, in one case a structure returned by stat() If this had been overhauled earlier, the Debian OpenSSL bug might have never happened? (Use of uninitialised memory was causing valgrind warnings in applications using the library, and the mistake was made trying to work around that I think). Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53602127.2020...@pyro.eu.org