Bruno Wolff III <bruno(at)cerberus(dot)csd(dot)uwm(dot)edu> writes:
> It looks like they consider not running without seeding the PRNG a feature
> and that this isn't something likely to change soon.
One man's feature is another man's bug, I'd say. How can they consider
it a good decision to leave it to the application to solve this problem?
Especially when they *do* solve the seeding problem on some platforms?
Their stance is completely inconsistent. If they're concerned about
preventing use of predictable seeds, the last thing they should want to
do is allow a surrounding application to apply a sloppy solution (like
the constant seed you just suggested). They should think of the best
solution they can, and embody it in their library. There is *no* chance
that an application developer is going to invent a better way on the
spur of the moment, and every chance that he'll blow a mile-wide hole
in the security of their library.
regards, tom lane
In response to
pgsql-bugs by date
|Next:||From: Tom Lane||Date: 2001-10-30 15:48:46|
|Subject: Re: Porting issue with openssl and no /dev/random |
|Previous:||From: Bruno Wolff III||Date: 2001-10-30 15:06:50|
|Subject: Re: Porting issue with openssl and no /dev/random|