Whatever we do, let's document it as best we can in places users will find it.
Gary On Fri, Feb 8, 2019, 06:36 sebb <seb...@gmail.com wrote: > -1 to the release: > I don't think we can release the code as is; it is bound to cause > significant delays on some systems. > > I think we need to establish whether using 'new SecureRandom()' > instead of SecureRandom.getInstanceStrong() makes the long delays go > away. > > Then we need to establish whether we really need > SecureRandom.getInstanceStrong(). > From what I read in the link posted by Bruno: > > https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/ > and linked posts such as: > https://www.2uo.de/myths-about-urandom/ > > it looks like 'new SecureRandom()' would be just as good for our purposes. > > S. > > On Fri, 8 Feb 2019 at 11:12, Gary Gregory <garydgreg...@gmail.com> wrote: > > > > On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <gillese...@gmail.com wrote: > > > > > Hello Bruno. > > > > > > Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <ki...@apache.org> a > > > écrit : > > > > > > > > Hi, > > > > > > > > Had a bit of spare time to investigate this one (almost end of Friday > > > for me anyway, hooray!). > > > > > > > > There are two unit tests in Sha512 hanging for me in Eclipse, > > > testSha512CryptExplicitCall and testSha512CryptNullData. The code that > the > > > test uses and hangs in my JVM can be simplified to: > > > > > > > > ``` > > > > String salt = B64.getRandomSalt(8); > > > > System.out.println(salt); // never seen > > > > ``` > > > > > > > > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, > which > > > is the random object. Used to randomly pick a letter of the B64 > alphabet. > > > > > > Where is that code? > > > > > > > https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12 > > > > > > That should be an array, not a string IMO. > > > > Gary > > > > > > > > > > > Gilles > > > > > > > > > > > It appears this one may take a long time in some systems due to low > > > entropy. i.e. it tries to gather more random data to give you a really > > > strong random... only that it appears to take a long long time for my > JVM. > > > > > > > > Cheers > > > > Bruno > > > > > > > > > > > > https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/ > > > > > > > > > > > > > > > > > > > > > > > > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins < > > > chtom...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Feb 7, 2019, at 8:17 PM, sebb <seb...@gmail.com> wrote: > > > > > > > > > > It builds fine on ubuntu trusty with Java 8 > > > > > > > > Agree > > > > > > > > > > > > > > > > > > https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/ > > > > > > > > > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to > see > > > > > where the code is hanging? > > > > > > > > > > Or can you run the test in an IDE that allows you to interrupt it > if > > > it hangs? > > > > > > > [...] > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
