Cory Benfield added the comment: > So you are intentionally accepting a new vector for DoS attacks, and calling this non-reduced security?
This is only a DoS vector if you can hit the server so early in the boot process that it doesn't have enough entropy. The *second* enough entropy has been gathered getrandom() will never block again. In essence, then, the situation where it becomes possible to DoS a server is entirely outside an attackers control and extremely unlikely to ever actually occur in real life: you can only DoS the server if you can demand entropy before the system has gathered enough, and if the server has managed to *boot* by then then the alternative is that it is incapable of generating secure random numbers and shouldn't be running exposed against the web anyway. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26839> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
