tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: OpenSSH/OpenSSL patches to stop excessive entropy consumption



On Sun, Mar 04, 2012 at 02:04:45PM +0900, Izumi Tsutsui wrote:
> 
> Then isn't it better to ask these changes to upstream first?

I've already started the process of feeding the OpenSSL change back
to OpenSSL.  I don't anticipate any problem there.

I am less sanguine about OpenSSH -- after all, the genesis of the
basic issue here is in the strange OpenBSD hack that guts the OpenSSL
RNG.  But I cannot really see any problem with less than 50 lines of
local changes; our in-tree OpenSSH is already far more different than
that, and I have not heard any complants about merge difficulty.

> I'm afraid maintaining 6KB diffs in src/external tree
> would be annoying in future imports.

Really?  We have code in src/external that has thousands of lines of
diffs, not just a few tens.  I can't see I find this reasoning very
persuasive.

Thor


Home | Main Index | Thread Index | Old Index