Re: libbsd package
- To: debian-bsd@lists.debian.org
- Subject: Re: libbsd package
- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Sun, 03 Aug 2008 22:33:35 +0200
- Message-id: <[🔎] 871w15q1nk.fsf@mid.deneb.enyo.de>
- References: <Pine.BSM.4.64L.0806292125100.30307@herc.mirbsd.org> <20080630191209.GG10329@lilotux.net> <Pine.BSM.4.64L.0806302324010.5390@herc.mirbsd.org> <873am7dxep.fsf@mid.deneb.enyo.de> <20080719052045.GC28125@zulo.hadrons.org>
* Guillem Jover:
> If the stable release team would be fine with introducing a new source
> package to stable then I guess the easiest is to just "backport".
> I think it most probably should build on etch w/o modifications.
>
> Otherwise from where were you thinking on generating the library
> package?
We need non-predictable PRNGs for DNS transaction IDs and perhaps source
ports (if we can't fix the kernel due to politics) in adns, libc6,
Net::DNS, ldns, and in various DNS proxies and probably some other stuff
I forgot.
The OpenSSL license is incompatbile with some other licenses used by
Debian and cannot be used in a library. The GNUTLS PRNG drains a lot of
entropy from the pool. Reading /dev/urandom directly might be another
option, though.
>> I'd also see a change that limits the number of bytes which is read from
>> /dev/urandom (32 or fewer should be enough). I'm concerned about
>> looping shell scripts darinign entropy from the pool at an unacceptably
>> high rate.
>
> I guess that'd be possible, but on what scenario would you see this
> happening?
Anthing that uses DNS in a loop. For instance, with a list of a few
dozen URLs,
while read url ; do wget $url ; done
completely depletes the kernel randomness pool, causing issues for
applications that read from /dev/random.
Reply to: