No, HLFS never used the modification Debian used on OpenSSL to cause this entropy vulnerability.
This bug began with a false positive from Valgrind/Purify-like code checker software, and was eagerly fixed by the Debian maintainers with the best of intentions. In hindsight, this modification should have been sent to the OpenSSL group as a bugfix, where it should have been properly reviewed and found to be a false positive. HLFS has done what it can to prevent this sort of bug from occurring. A while ago I started documenting patches, sending them upstream to developers for review so they could give constructive feedback (this doesn't always happen, but it shouldn't stop us from trying). So whether the patch is accepted or rejected, it will hopefully get looked at by someone with a different perspective. Furthermore, the modifications HLFS has on OpenSSL indisputably increase available entropy. The HLFS modifications to OpenSSL do not change any code, they enable additional code intended for OpenBSD to increase available entropy sources. I have always been very carefull with changes the OpenSSL package because I too do not want keys I make today to be vulnerable ten years from now. One day the shoe may be on the other foot. This bug was caused by the best of intentions on Debian's part, and I sincerely hope they do not become discouraged by it. robert On Monday June 2 2008 12:15:57 pm Aki Tuomi wrote: > Is HLFS in any way affected by this? > > Aki Tuomi
pgp8JCVDEGlwf.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
