Re: Use arc4random in devel/glib2

2016-05-20 Thread Brent Cook
On Tue, May 17, 2016 at 5:50 PM, Theo de Raadt wrote: > > > https://github.com/libressl-portable/portable/tree/master/m4 > > > has autoconf checks with an OS whitelist for arc4random. > > > It would be nice to keep things similar to these so that > > > updates can be

Re: Use arc4random in devel/glib2

2016-05-17 Thread Theo de Raadt
> > https://github.com/libressl-portable/portable/tree/master/m4 > > has autoconf checks with an OS whitelist for arc4random. > > It would be nice to keep things similar to these so that > > updates can be merged across from newer versions easily. > > I disagree. > > > libressl is making

Re: Use arc4random in devel/glib2

2016-05-17 Thread Theo de Raadt
> > Anecdocally, libbsd's arc4random is not necessarily secure. IIUC the > > code isn't as glaringly dangerous as g_rand*, but it will seed with only > > the time and PID if other sources fail. I think we should avoid > > conflating BSDs' arc4randoms with libbsd's. > > > >

Re: Use arc4random in devel/glib2

2016-05-17 Thread Theo de Raadt
> Dmitrij D. Czarkoff wrote: > > Stuart Henderson said: > > > glib2 is a pretty clean port patch-wise. This sort of thing would be > > > better done with proper autoconf etc so it can go upstream. > > > > Totally agree. It would be best if upstream would maintain the code. > > They could benefit

Re: Use arc4random in devel/glib2

2016-05-17 Thread Stuart Henderson
On 2016/05/17 18:16, Michael McConville wrote: > Dmitrij D. Czarkoff wrote: > > Stuart Henderson said: > > > glib2 is a pretty clean port patch-wise. This sort of thing would be > > > better done with proper autoconf etc so it can go upstream. > > > > Totally agree. It would be best if upstream

Re: Use arc4random in devel/glib2

2016-05-17 Thread Michael McConville
Dmitrij D. Czarkoff wrote: > Stuart Henderson said: > > glib2 is a pretty clean port patch-wise. This sort of thing would be > > better done with proper autoconf etc so it can go upstream. > > Totally agree. It would be best if upstream would maintain the code. > They could benefit from

Re: Use arc4random in devel/glib2

2016-05-05 Thread Dmitrij D. Czarkoff
Stuart Henderson said: > glib2 is a pretty clean port patch-wise. This sort of thing would be > better done with proper autoconf etc so it can go upstream. Totally agree. It would be best if upstream would maintain the code. They could benefit from arc4random on other BSDs and libbsd-enabled

Re: Use arc4random in devel/glib2

2016-05-05 Thread Stuart Henderson
glib2 is a pretty clean port patch-wise. This sort of thing would be better done with proper autoconf etc so it can go upstream. On 2016/05/05 15:02, Vadim Zhukov wrote: > 2016-05-05 3:00 GMT+03:00 Michael McConville : > > I've had this sitting around for a while. > > > >

Re: Use arc4random in devel/glib2

2016-05-05 Thread Vadim Zhukov
2016-05-05 3:00 GMT+03:00 Michael McConville : > I've had this sitting around for a while. > > GLib's g_rand* functions use a simple Mersenne Twister, and the docs > warn against their use where strong randomness is needed: > >

Use arc4random in devel/glib2

2016-05-04 Thread Michael McConville
I've had this sitting around for a while. GLib's g_rand* functions use a simple Mersenne Twister, and the docs warn against their use where strong randomness is needed: https://developer.gnome.org/glib/stable/glib-Random-Numbers.html g_rand_* are deterministic, while g_random_* are