pkg/48345: security/gnupg doesn't use the static-rnd option it thinks it does

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/48345: security/gnupg doesn't use the static-rnd option it thinks it does
From: gson%gson.org@localhost (Andreas Gustafsson)
Date: Sat, 26 Oct 2013 18:00:01 +0000 (UTC)

>Number:         48345
>Category:       pkg
>Synopsis:       security/gnupg doesn't use the static-rnd option it thinks it 
>does
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Oct 26 18:00:00 +0000 2013
>Originator:     Andreas Gustafsson
>Release:        NetBSD 5.2
>Organization:
>Environment:
System: NetBSD guava.gson.org 5.2 NetBSD 5.2 (GENERIC) #0: Wed Nov 28 09:36:47 
UTC 2012 
builds%b8.netbsd.org@localhost:/home/builds/ab/netbsd-5-2-RELEASE/i386/201211280503Z-obj/home/builds/ab/netbsd-5-2-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386
Architecture: i386
Machine: i386
>Description:

When building security/gnupg, I noticed the following output
from the configure script:

  configure: WARNING: unrecognized options: --with-static-rnd

This is because security/gnupg/Makefile passes the option
--with-static-rnd=auto, but the configure script actually takes
an option called --enable-static-rnd, not --with-static-rnd.

In light of recent reports about certain U.S. agencies possibly
introducing delibrate weaknesses in the random number generation of
security software, having any discrepancy between the apparent and
actual behavior of gnupg's random number generation makes me
uncomfortable.

I think I would actually prefer to fix this by simply removing the
"--with-static-rnd=auto" from the Makefile rather than replacing it
with "--enable-static-rnd=auto", because the default behavior is to
use only /dev/random, which seems preferable to that of
"--with-static-rnd=auto", which involves silently falling back to
other, possibly less secure methods if opening /dev/random or
/dev/urandom fails.  But I will leave the final decision to the
MAINTAINER.

>How-To-Repeat:

cd /usr/pkgsrc/security/gnupg
make

>Fix:

My suggested fix:

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnupg/Makefile,v
retrieving revision 1.121
diff -u -r1.121 Makefile
--- Makefile    5 Oct 2013 13:19:51 -0000       1.121
+++ Makefile    26 Oct 2013 17:47:46 -0000
@@ -19,7 +19,6 @@
 GNU_CONFIGURE=         yes
 USE_PKGLOCALEDIR=      yes
 USE_TOOLS+=            gmake msgfmt
-CONFIGURE_ARGS+=       --with-static-rnd=auto
 CONFIGURE_ARGS+=       --with-mailprog=/usr/sbin/sendmail
 TEST_TARGET=           check
 INFO_FILES=            yes

Prev by Date: Re: pkg/48334: graphics/gd uses "ceill()", silently succeeds on amd64-6.1_STABLE, undefined symbol on macppc-6.99.24
Next by Date: Re: pkg/48345 (security/gnupg doesn't use the static-rnd option it thinks it does)
Previous by Thread: PR/45318 CVS commit: pkgsrc/lang/nhc98
Next by Thread: Re: pkg/48345 (security/gnupg doesn't use the static-rnd option it thinks it does)
Indexes:

Home | Main Index | Thread Index | Old Index