On Thursday 15 May 2008 11:52:08 John Parker wrote: > > It is already possible to use openssl and valgrind - just build OpenSSL > > with -DPURIFY, and it is quite clean. > > > > (we do it all the time here with WvStreams and Pathfinder, and it works > > like a charm). > > The problem is that this may reduce the keyspace so that keys are > guessable.
No it won't, it removes an "entropy source" whose quality is known to be unknown, ie. it may add nothing useful, it gets used "just in case". Removing it does not "reduce the keypsace" at all. All you can say is that leaving it there *may* improve the PRNG depending on the user, the environment, the application, and quite probably, the alignment of the planets... The debian patch went further than -DPURIFY, as it removed more than just this "unreliable" source, it removed all use of reliable sources as well. > http://blog.isotoma.com/2008/05/debians_openssl_disaster.html This blog does not suggest that building with -DPURIFY would a problem and nor should it. I think you may have misunderstood the details of this issue. Cheers, Geoff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
