On Wed, Feb 22, 2012 at 7:37 PM, Marsh Ray <ma...@extendedsubset.com> wrote: > On 02/22/2012 05:49 PM, Jeffrey Walton wrote: >> >> Remember, OpenSSL gave tacit approval: "If it helps with debugging, >> I'm in favor of removing them," >> http://www.mail-archive.com/openssl-dev@openssl.org/msg21156.html. > > The full quote from Ulf Möller is: > >> Kurt Roeckx schrieb: >>> >>> What I currently see as best option is to actually comment out >>> those 2 lines of code. But I have no idea what effect this really >>> has on the RNG. The only effect I see is that the pool might >>> receive less entropy. But on the other hand, I'm not even sure >>> how much entropy some unitialised data has. >> >> Not much. If it helps with debugging, I'm in favor of removing them. >> (However the last time I checked, valgrind reported thousands of >> bogus error messages. Has that situation gotten better?) > > What Ulf gave was his own weak conditional support based on the way Kurt > posed the question, which implied that it was only entropy from > uninitialized memory being added. I seem to recall Debian stating they interpreted the statement as an OK (but I can't find a citation at the moment).
For what its worth, I could not tell if Möller was OK with removing the statements for Debug only, or all versions (loosely, Debug and Release). What was not very clear at all (to me): how removing the statements was even helpful in debugging. > But did OpenSSL go ahead and remove them or express interest a patch? No. In this instance, I believe Debian made the changes then pushed the patch upstream. Debian did not wait for OpenSSL action. Isn't that fairly typical? I don't recall what happened afterwards (did OpenSSL kick the patch?). > Personally, I think it's a brilliant example of engineering > miscommunication. One of open source crypto's great teaching moments, akin > to the civil engineer's KC Hyatt walkway collapse. > https://en.wikipedia.org/wiki/Hyatt_Regency_walkway_collapse Agreed. > P.S. Sadly, in case anyone hadn't heard, Ulf Möller died last month. >> http://ulf-m.blogspot.com/2012/02/help-us-find-people-who-killed-ulf.html Very unfortunate. I hate to hear things like that (cryptograper or not). Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography