Bug#336651: libapr0: Need to compile --with-devrandom=/dev/urandom

To: Steve Langasek <vorlon@debian.org>, 336651@bugs.debian.org
Subject: Bug#336651: libapr0: Need to compile --with-devrandom=/dev/urandom
From: "Mark A. Hershberger" <mah@everybody.org>
Date: Tue, 01 Nov 2005 15:43:06 -0500
Message-id: <[🔎] 4367D35A.8050806@everybody.org>
Reply-to: "Mark A. Hershberger" <mah@everybody.org>, 336651@bugs.debian.org
In-reply-to: <[🔎] 20051101062438.GR27637@tennyson.dodds.net>
References: <E1EWeda-0007UN-2E@superman.everybody.org> <[🔎] 20051101062438.GR27637@tennyson.dodds.net>

Steve Langasek wrote:

> It is quite likely that it is not a bug at all -- /dev/urandom is *not* a

proper replacement for /dev/random when real entropy is needed, and the

> Debian packages should not sacrifice security casually.

"svnadmin create repos" and other svn commands that need UUIDs don'twork entropy isn't available. They hang.

Thus, you've created a security problem (denial of service) by makingpolicy decisions that should be left for the site to make (e.g. what"quality" of randomness do we need from apr?)


--
http://mah.everybody.org/weblog/
GPG Fingerprint: 7E15 362D A32C DFAB E4D2  B37A 735E F10A 2DFC BFF5

Someone will always sell you for 30 pieces of silver.
 -- Andrei Rublev

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Bug#336651: libapr0: Need to compile --with-devrandom=/dev/urandom
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Bug#322348: /etc/init.d/apache script wasn't removed by postrm
Next by Date: Bug#322348: /etc/init.d/apache script wasn't removed by postrm
Previous by thread: Bug#336651: libapr0: Need to compile --with-devrandom=/dev/urandom
Next by thread: Processed: Re: Bug#336651: libapr0: Need to compile --with-devrandom=/dev/urandom
Index(es):
- Date
- Thread