Hi Sean, Alex
Here's a sum-up post:
http://mail.openjdk.java.net/pipermail/security-dev/2014-June/010700.html
Regards, Peter
On 07/14/2014 04:44 PM, Sean Mullan wrote:
I don't see a pointer to the webrev/patch -- did you forget to include
it?
--Sean
On 07/11/2014 07:33 PM, Martin Buchholz wrote:
Thanks to Peter for digging into the secure seed generator classes and
coming up with a patch. Openjdk security folks, please review. I
confess
to getting lost whenever I try to orient myself in the twisty maze of
seed
generator implementation files.
Anyways, it seems important to have prngs like ThreadLocalRandom be
able to
get a few bits of seed entropy without loading hundreds of classes and
without occupying any file descriptors permanently. Perhaps at
Google we
will go back to writing some simple non-portable startup code to read
/dev/urandom until openjdk security team comes up with a more principled
solution (but one that doesn't drag in too much machinery).