On Wed, Jun 25, 2008 at 10:34:07AM +0530, Venky wrote: > On Tue, Jun 24, 2008 at 11:31:25PM -0500, Nicolas Williams wrote: > > On Wed, Jun 25, 2008 at 09:50:02AM +0530, Venky wrote: > > > On Tue, Jun 24, 2008 at 11:07:35PM -0500, Shawn Walker wrote: > > > > Yes, but again, that's where policy comes in. As the recent debian > > > > problem with OpenSSL shows, just because you have a fully-repeatable > > > > build recipe and source does not guarantee that a security problem > > > > won't be introduced. > > > > > > Perfect example, thank you! Do you think this flaw would have been > > > discovered if Debian did not have a policy of requiring source? > > > > Actually, yes. People certainly could (and should) have noticed the > > problem without having to inspect source. > > Okay, now that would be amazing! The actual flaw in this case just > made the number of possible random number seed values drop to > 32,768. I'd be stunned if someone figured this out without looking > at the source.
This is way OT now, but OpenSSL's random number generator can be tested. 32,768 seeds is as nothing. _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
