[Pkg-openssl-devel] Valgrind patch leftovers
Kurt Roeckx
kurt at roeckx.be
Fri Aug 30 16:31:30 UTC 2013
On Fri, Aug 30, 2013 at 12:24:41PM +0200, Luca BRUNO wrote:
> On Thu, 29 Aug 2013 19:12:34 +0200
> Kurt Roeckx <kurt at roeckx.be> wrote:
>
> > There is nothing "expected" about this. The difference is that
> > without the valgrind patch it adds some information that might
> > or might not contain entropy.
>
> That's true, and it may arguably be considered just a bug in the
> library-using applications, not properly reseeding.
> However, it looks to me that this patch is making such kind of bugs
> more severe, as it is *always* removing a source that *might* not
> contain entropy. I see many downstream projects patching these bugs, but
> only after being bitten by it, and possibly with quite nefarious
> end-user effects [0].
If the valgrind patch wasn't applied there would most likely
still be a problem just harder to detect. So I see no good
reason to drop that patch.
Kurt
More information about the Pkg-openssl-devel
mailing list