Hi, * Christoph Anton Mitterer <cales...@scientia.net> [2012-02-20 13:13]: > On Mon, 2012-02-20 at 11:58 +0100, Nico Golde wrote: > > I'm not sure if I can agree with you here. The fact that before the patch > > the > > code was using urandom doesn't necessarily make it more secure. Actually > > looking at the patch, the code was using a one character seed (0..255) as a > > random seed before. Please see > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333552 > > Well... > a) SSL is broken in NRPE anyway... so I rather consider this at the > moment a "conceptual" issue than a technical. > > b) I doubt that a (probably predictable - that may be even a multi-user > system) number made out of PID/PPID/date is more secure than a (for the > real world) quite secure /dev/urandom .
I'm not arguing with you about what is more secure and what not. Fact is both solutions are not secure from a crypto perspective and there was a reason (which I can't judge in practice) to change the behaviour. Comparing this to the "openssl debacle" is ridiculous if you ask me and will likely piss people off. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpEEQZZL0Eg7.pgp
Description: PGP signature
