Steven Chamberlain <ste...@pyro.eu.org> writes: > I think it would be good for Debian to standardise on a single, good > arc4random implementation, available to any application that wants to > use it.
> I'd like it to become ubiquitous, on all Debian arches (and eventually > other distributions). We should ensure applications do find it and use > it, instead of using risky fallbacks like rand(), getpid() and time(). > (Scan build logs for "checking.*arc4random" for example). > We could deprecate dozens of code copies, most of them unmaintained, > some having known security flaws that were fixed in later versions. I'm all in favor of this, but when working on this, please take the concerns of upstream into account. libbsd is readily available on Debian, but I don't know if that's the case on the other systems that upstream is trying to support, so they're going to be understandably worried about portability. Ideally, we wouldn't have to carry a ton of Debian-specific patches to do this, though. If someone could put together a kit for upstream with Autoconf probes and all the machinery for selectively using this implementation if libbsd is available, I think that would go a long way towards helping us actually achieve this. Even better, of course, would be to get glibc to take the interface, since then all one needs is the Autoconf probes. But I'm not sure how practical that really is. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
