Christoph Anton Mitterer schrieb am Monday, den 20. February 2012: > On Mon, 2012-02-20 at 11:58 +0100, Nico Golde wrote: > > I'm not sure if I can agree with you here. The fact that before the patch > > the > > code was using urandom doesn't necessarily make it more secure. Actually > > looking at the patch, the code was using a one character seed (0..255) as a > > random seed before. Please see > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333552 > > Well... > a) SSL is broken in NRPE anyway... so I rather consider this at the > moment a "conceptual" issue than a technical. > > b) I doubt that a (probably predictable - that may be even a multi-user > system) number made out of PID/PPID/date is more secure than a (for the > real world) quite secure /dev/urandom . > > c) I'm not an in-dept crypto expert, but if that 8 bit of entropy are > not enough for SSLs initial PRNG seed, than a patch that reads just a > bit more would have been the obvious; right? > > d) The argument in that bug is imho not very strong,... > draining /dev/urandom by reading just one byte is difficult (of course > if you have thousands of concurrent NRPEs things look different). > But I guess the right solution would have been to just disable the > broken ssl support per default? > To the uneducated user it gives just a wrong sense of security, while in > reality it helps nothing at all and costs just performance. > > Anyway,... to some extent this strongly remembers me to the OpenSSL > debacle... > > Cheers, > Chris. > > btw: To the Nagios maintainers,... I know I've opened several bugs > recently, some of which you closed/wontfix already,.. hope you don't > consider this as getting on your nerves; my intention is just to imrove > the packages :) in fact you do. You are telling us mostly known things or just nonsense.
Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
