On 6/14/2010 7:59 PM, Nicholas Maniscalco wrote: > Is using OpenSSL built with the PURIFY flag considered "secure"? > I ask because I came across this comment, in md_rand.c: > > #ifndef PURIFY /* purify complains */ > /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ > if (!MD_Update(&m,buf,j)) > goto err; > /* We know that line may cause programs such as > purify and valgrind to complain about use of > uninitialized data. */ > #endif
The last time someone went by such nonsense[1], they created an entirely exploitable set of keys on all debian/ubuntu-derived distributions. Good luck with that, and please let us know what you are maintaining, so that we might avoid such distributions and products. [1] http://www.debian.org/security/2008/dsa-1571 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org