I’m a -1 as well. I have some ideas here and will wok on those going forward.
-Rob > On Feb 8, 2019, at 6:41 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > > Whatever we do, let's document it as best we can in places users will find > it. > > Gary > >> On Fri, Feb 8, 2019, 06:36 sebb <seb...@gmail.com wrote: >> >> -1 to the release: >> I don't think we can release the code as is; it is bound to cause >> significant delays on some systems. >> >> I think we need to establish whether using 'new SecureRandom()' >> instead of SecureRandom.getInstanceStrong() makes the long delays go >> away. >> >> Then we need to establish whether we really need >> SecureRandom.getInstanceStrong(). >> From what I read in the link posted by Bruno: >> >> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/ >> and linked posts such as: >> https://www.2uo.de/myths-about-urandom/ >> >> it looks like 'new SecureRandom()' would be just as good for our purposes. >> >> S. >> >>> On Fri, 8 Feb 2019 at 11:12, Gary Gregory <garydgreg...@gmail.com> wrote: >>> >>>> On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <gillese...@gmail.com wrote: >>>> >>>> Hello Bruno. >>>> >>>> Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <ki...@apache.org> a >>>> écrit : >>>>> >>>>> Hi, >>>>> >>>>> Had a bit of spare time to investigate this one (almost end of Friday >>>> for me anyway, hooray!). >>>>> >>>>> There are two unit tests in Sha512 hanging for me in Eclipse, >>>> testSha512CryptExplicitCall and testSha512CryptNullData. The code that >> the >>>> test uses and hangs in my JVM can be simplified to: >>>>> >>>>> ``` >>>>> String salt = B64.getRandomSalt(8); >>>>> System.out.println(salt); // never seen >>>>> ``` >>>>> >>>>> Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, >> which >>>> is the random object. Used to randomly pick a letter of the B64 >> alphabet. >>>> >>>> Where is that code? >>>> >>>> >> https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12 >>> >>> >>> That should be an array, not a string IMO. >>> >>> Gary >>> >>>> >>>> >>>> Gilles >>>> >>>>> >>>>> It appears this one may take a long time in some systems due to low >>>> entropy. i.e. it tries to gather more random data to give you a really >>>> strong random... only that it appears to take a long long time for my >> JVM. >>>>> >>>>> Cheers >>>>> Bruno >>>>> >>>>> >>>> >> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins < >>>> chtom...@gmail.com> wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Feb 7, 2019, at 8:17 PM, sebb <seb...@gmail.com> wrote: >>>>>> >>>>>> It builds fine on ubuntu trusty with Java 8 >>>>> >>>>> Agree >>>>> >>>>>> >>>>>> >>>> >> https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/ >>>>>> >>>>>> Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to >> see >>>>>> where the code is hanging? >>>>>> >>>>>> Or can you run the test in an IDE that allows you to interrupt it >> if >>>> it hangs? >>>>>>>> [...] >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>>> For additional commands, e-mail: dev-h...@commons.apache.org >>>> >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
