On Thursday 15 May 2008 17:31:45 Erik de Castro Lopo wrote: > Geoff Thorpe wrote: > > Then tell your linux distribution to use -DPURIFY. > > Hangon, I've got a better idea. How about the OpenSSL develoeprs > fix their library so that the standard version that they ship is > valgrind clean. Then the distributions won't need to do anything > other than compile it.
What, you mean like how the standard version we ship has a good PRNG, so that the distributions don't need to do anything about that either? Funny, that doesn't work so well in the real world. Distributions always do something before compiling packages, as debian has so succinctly and spectacularly demonstrated. They pick target architecture settings for the distribution that are independent of the build host (eg. cross-compilation for non-x86 hosts, etc) and another other configuration options they think useful/necessary. Eg. static/dynamic, PIC or not, symbols or not, installation paths, optional features (and dependencies), documentation, [...]. Sometimes they even throw in patches, which is where they diverge dangerously from what we provide. If it is the distribution's preference to have openssl unnecessarily memset and/or unnecessarily restrict its seeding to pander to an unmodified and unconfigured valgrind, be that in the standard package or any other debug package, then that is their choice. We provide a (supported) method for doing this, it's called -DPURIFY. It doesn't require *any* source-code patching. <ahem>. Valgrind is a great tool and no doubt many non-noobs put it to good use on a daily basis. It helps find non-deterministic behaviour. That it finds non-deterministic behaviour in our PRNG should not be cause for basement-dwellers the world over to rise up against common-sense. We have a FAQ in case you get confused, and valgrind can also be "taught" to work around such cases as this. And again, you can build openssl to side-step the false-positives for a very small overhead. Just what level of base, ill-informed, and incompetent debugging "help" do we need to cater to? And to what non-technical extents are we prepared to go for it? Cheers, Geoff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
