On Mon, Jul 28, 2025 at 4:36 AM Daniel Gustafsson <dan...@yesql.se> wrote: > There has in the past been discussions (at least off-list in hallway tracks) > about allowing randomness to be chosen separately from underlying factors such > as OpenSSL support, at the time it didn't seem worth the trouble but that may > well have changed.
Yeah, especially if other options with similar strength could be much faster. But the comparison is really going to be OS-dependent [1, 2]. > With OpenSSL 1.1.1 being the baseline we can also make use of the _priv_bytes > functions to get increased isolation. Hmm, that's an interesting idea too. To move this forward a tiny bit: I would be okay with maintaining a new getentropy() case. (I'm less excited about getrandom() because of its reduced reach.) And maybe down the line we should discuss choosing an option at configure time? --Jacob [1] https://lwn.net/Articles/983186/ [2] https://dotat.at/@/2024-10-01-getentropy.html
