-1 to the release: I don't think we can release the code as is; it is bound to cause significant delays on some systems.
I think we need to establish whether using 'new SecureRandom()' instead of SecureRandom.getInstanceStrong() makes the long delays go away. Then we need to establish whether we really need SecureRandom.getInstanceStrong(). >From what I read in the link posted by Bruno: https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/ and linked posts such as: https://www.2uo.de/myths-about-urandom/ it looks like 'new SecureRandom()' would be just as good for our purposes. S. On Fri, 8 Feb 2019 at 11:12, Gary Gregory <garydgreg...@gmail.com> wrote: > > On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <gillese...@gmail.com wrote: > > > Hello Bruno. > > > > Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <ki...@apache.org> a > > écrit : > > > > > > Hi, > > > > > > Had a bit of spare time to investigate this one (almost end of Friday > > for me anyway, hooray!). > > > > > > There are two unit tests in Sha512 hanging for me in Eclipse, > > testSha512CryptExplicitCall and testSha512CryptNullData. The code that the > > test uses and hangs in my JVM can be simplified to: > > > > > > ``` > > > String salt = B64.getRandomSalt(8); > > > System.out.println(salt); // never seen > > > ``` > > > > > > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, which > > is the random object. Used to randomly pick a letter of the B64 alphabet. > > > > Where is that code? > > > > https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12 > > > That should be an array, not a string IMO. > > Gary > > > > > > > Gilles > > > > > > > > It appears this one may take a long time in some systems due to low > > entropy. i.e. it tries to gather more random data to give you a really > > strong random... only that it appears to take a long long time for my JVM. > > > > > > Cheers > > > Bruno > > > > > > > > https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/ > > > > > > > > > > > > > > > > > > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins < > > chtom...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > On Feb 7, 2019, at 8:17 PM, sebb <seb...@gmail.com> wrote: > > > > > > > > It builds fine on ubuntu trusty with Java 8 > > > > > > Agree > > > > > > > > > > > > > https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/ > > > > > > > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to see > > > > where the code is hanging? > > > > > > > > Or can you run the test in an IDE that allows you to interrupt it if > > it hangs? > > > > > > [...] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org