Hi Guillem, Guillem Jover wrote: > Steven Chamberlain wrote: > > getdns FTBFS on kfreebsd because it lacks a getentropy implementation > > for the FreeBSD kernel. But there is one already in LibreSSL Portable > > we can use, and works fine here. > > BTW, libbsd has also a getentropy(3) implementation (lifted too from > LibreSSL), which is currently not exposed but if people want to use it > I could make it public, instead of embedding this in all sorts of > places. The difference being that libbsd is already in Debian, while > LibreSSL is not. > > <http://cgit.freedesktop.org/libbsd/tree/src> I'm really glad you asked about this. The number of projects embedding arc4random implementations, copied from OpenBSD or OpenSSH/LibreSSL Portable has me worried. I wanted to raise this with the security team, I may follow up on debian-devel shortly. I think the only use case for getentropy is arc4random, so perhaps don't export getentropy(3), but lets try to standardise on one implementation of arc4random (in libbsd?) and try to get more people using that? It would be nice to have the kernel-specific parts (getentropy) confined to libbsd, and that may become even more important if applications start sandboxing (e.g. can't read /dev/urandom any more, have to use sysctls). Or if getrandom(2) becomes standard, we'd only need to implement it in one place (as a supplement / eventual replacement to getentropy(3)). Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature