Roundup Tracker - Issues


Author rouilj
Recipients cmeerw, joseph_myers, rouilj, schlatterbeck
Date 2018-08-04.22:56:48
Message-id <20180804225642.06D084C029A@itserver6.localdomain>
In-reply-to <>
Hi Christof:

In message
Christof Meerwald writes:
>Christof Meerwald added the comment:
>Here is another patch that keeps the re-seeding in place, just moves 
>the selection of the preferred random number generation method into a 
>single module:

In your patch you seed a new random instance, not the default random
instance. You should also seed the default random instance on every
client session. The issue with the default pseudorandom number
generator not being seeded was detected by an extension on the bugtracker. The extension returned a random issue. That
stopped working because the default random generator was not seeded on
every client connection. While every extension writer could add their
own call to seed the ransom source, I think it is better if we seed it
with proper random info in the core.

So make sure you seed the random generator even if we don't use it in
the main roundup code. It is reasonable for tracker developers to
think that random is properly seeded on every client connection.

>(Note that I have removed some special "randomness" code for CSRF 
>handling as it seems strange to handle that in a different way than 
>gen_sid/gen_nonce in; ideally, we would have a strong random 
>number generator anyway if we care about these things).

I'm ok with that if you believe that there is enough randomness in
roundup/anypy/ when it takes the pseudorandom path.

Have a great week.
Date User Action Args
2018-08-04 22:56:49rouiljsetrecipients: + rouilj, schlatterbeck, cmeerw, joseph_myers
2018-08-04 22:56:49rouiljlinkissue2550988 messages
2018-08-04 22:56:48rouiljcreate