[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libbsd package

* Guillem Jover:

> If the stable release team would be fine with introducing a new source
> package to stable then I guess the easiest is to just "backport".
> I think it most probably should build on etch w/o modifications.
> Otherwise from where were you thinking on generating the library
> package?

We need non-predictable PRNGs for DNS transaction IDs and perhaps source
ports (if we can't fix the kernel due to politics) in adns, libc6,
Net::DNS, ldns, and in various DNS proxies and probably some other stuff
I forgot.

The OpenSSL license is incompatbile with some other licenses used by
Debian and cannot be used in a library.  The GNUTLS PRNG drains a lot of
entropy from the pool.  Reading /dev/urandom directly might be another
option, though.

>> I'd also see a change that limits the number of bytes which is read from
>> /dev/urandom (32 or fewer should be enough).  I'm concerned about
>> looping shell scripts darinign entropy from the pool at an unacceptably
>> high rate.
> I guess that'd be possible, but on what scenario would you see this
> happening?

Anthing that uses DNS in a loop.  For instance, with a list of a few
dozen URLs,

  while read url ; do wget $url ; done

completely depletes the kernel randomness pool, causing issues for
applications that read from /dev/random.

Reply to: