GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Full log

Message #118 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: John Wiegley <jwiegley <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: rcopley <at> gmail.com, 22202 <at> debbugs.gnu.org, Paul Eggert <eggert <at> cs.ucla.edu>,
 deng <at> randomsample.de
Subject: Re: bug#22202: 24.5;
 SECURITY ISSUE -- Emacs Server vulnerable to random number generator
 attack on Windows systems
Date: Tue, 19 Jan 2016 09:03:17 -0800

[Message part 1 (text/plain, inline)]

>>>>> Eli Zaretskii <eliz <at> gnu.org> writes:

> We have what we need; calling gnutls_rnd changes nothing in this regard.
> It's just a more complex way of issuing the same system calls. It buys us
> nothing in terms of security and performance, while we sustain the price of
> having core functionality that must run at startup crucially depending on a
> 3rd party library we don't control.

> John, I feel this decision is wrong and the changes that prefer gnutls_rnd
> should be reverted. Maybe I'm the only one who cares, but then Paul is the
> only one who felt the need to make that change. I'd like to hear your take
> on this, please.

From what I've read, I agree with you Eli. If we can open /dev/urandom, why do
we need a dependency on GnuTLS to effectively do the same thing?

What critical feature is GnuTLS buying for us that would make this worthwhile,
Paul?

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.