-1 to the release:
I don't think we can release the code as is; it is bound to cause
significant delays on some systems.
I think we need to establish whether using 'new SecureRandom()'
instead of SecureRandom.getInstanceStrong() makes the long delays go
away.

Then we need to establish whether we really need
SecureRandom.getInstanceStrong().
>From what I read in the link posted by Bruno:

https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
and linked posts such as:
https://www.2uo.de/myths-about-urandom/

it looks like 'new SecureRandom()' would be just as good for our purposes.

S.

On Fri, 8 Feb 2019 at 11:12, Gary Gregory <garydgreg...@gmail.com> wrote:
>
> On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <gillese...@gmail.com wrote:
>
> > Hello Bruno.
> >
> > Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <ki...@apache.org> a
> > écrit :
> > >
> > > Hi,
> > >
> > > Had a bit of spare time to investigate this one (almost end of Friday
> > for me anyway, hooray!).
> > >
> > > There are two unit tests in Sha512 hanging for me in Eclipse,
> > testSha512CryptExplicitCall and testSha512CryptNullData. The code that the
> > test uses and hangs in my JVM can be simplified to:
> > >
> > > ```
> > > String salt = B64.getRandomSalt(8);
> > > System.out.println(salt); // never seen
> > > ```
> > >
> > > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, which
> > is the random object. Used to randomly pick a letter of the B64 alphabet.
> >
> > Where is that code?
> >
> > https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12
>
>
> That should be an array, not a string IMO.
>
> Gary
>
> >
> >
> > Gilles
> >
> > >
> > > It appears this one may take a long time in some systems due to low
> > entropy. i.e. it tries to gather more random data to give you a really
> > strong random... only that it appears to take a long long time for my JVM.
> > >
> > > Cheers
> > > Bruno
> > >
> > >
> > https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
> > >
> > >
> > >
> > >
> > >
> > > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <
> > chtom...@gmail.com> wrote:
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On Feb 7, 2019, at 8:17 PM, sebb <seb...@gmail.com> wrote:
> > > >
> > > > It builds fine on ubuntu trusty with Java 8
> > >
> > > Agree
> > >
> > > >
> > > >
> > https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
> > > >
> > > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to see
> > > > where the code is hanging?
> > > >
> > > > Or can you run the test in an IDE that allows you to interrupt it if
> > it hangs?
> > > > > > [...]
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@commons.apache.org
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Reply via email to