On Thu, May 15, 2008 at 4:41 PM, Erik de Castro Lopo <[EMAIL PROTECTED]> wrote: > Goetz Babin-Ebell wrote: > >> But here the use of this uninitialized data is intentional >> and the programmer are very well aware of what they did. > > The use of unititialized data in this case is stupid because the > entropy of this random data is close to zero. > > The only sane way to deal with this it to either make it zero > or make it truely random. > > Erik
I disagree. If there's a performance cost to making openssl happy with valgrind, I'd rather have there be an option that defaults to optimize security and performance at the expense of debugging capability. Debugging is the infrequent case. Although I disagree, I understand your argument. However, you weaken your position by using the words "stupid" and "sane;" they make you seem disrespectful. -JP ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
