Re: Re: [COMMITTERS] pgsql: Replace PostmasterRandom() with a stronger way of generating ran

On Tue, Oct 18, 2016 at 5:35 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> If we want it to fail, and don't want to retire pademelon, there are
> multiple ways we could get to that goal:
>
> * Enable --with-openssl in pademelon's build (don't really want to do
> this, since I believe almost all the rest of the buildfarm tests with
> openssl)

Yes, I don't think that's a good thing to make openssl installation
mandatory for this animal.

> * Add variant expected-files (probably bad, it'd hide real failures)
>
> * Add a configure option to suppress building/testing pgcrypto (maybe
> just make it contingent on --with-openssl, which would allow deletion
> of a bunch of code that duplicates openssl functionality...)
>
> * Support reading entropy from prngd (but this means we have no buildfarm
> coverage for entropy-daemon-less platforms)
>
> None of these are perfect, but I'd say the last one is not so obviously
> the best that we shouldn't consider alternatives.

In light of this discussion, it seems to me that we still want at the
end the --allow-weak-keys anyway as an extreme fallback, and this even
if there is additional support for prngd. An essential part is to
document the weakness of this option properly, like not using pgcrypto
with that if there is no other entropy source on an OS. By reading
this thread, the point is that we should not complicate the support
for obscure nix platforms, and it would be user-unfriendly to require
users to install prngd to get more entropy from the system.

And actually, enabling prngd would need to be controlled by a
configure switch as well disabled by default, no?
--
Michael