[19239] in bugtraq
Re: OS snobbery... (was Re: Bad PRNGs revisted in FreSSH)
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Thu Feb 15 16:40:47 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010214153301.A17143@rek.tjls.com>
Date: Wed, 14 Feb 2001 15:33:01 -0500
Reply-To: tls@rek.tjls.com
From: Thor Lancelot Simon <tls@REK.TJLS.COM>
X-To: Valdis.Kletnieks@vt.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200102142001.f1EK1Gi00710@foo-bar-baz.cc.vt.edu>; from
Valdis.Kletnieks@vt.edu on Wed, Feb 14, 2001 at 03:01:16PM -0500
On Wed, Feb 14, 2001 at 03:01:16PM -0500, Valdis.Kletnieks@vt.edu wrote:
> (Another fine example of OS snobbery on Bugtraq)...
>
> On Wed, 14 Feb 2001 05:02:08 GMT, tls@REK.TJLS.COM said:
>
> > FreSSH distribution -- thankfully, since just
> > about everyone in the world *does* have a
> > /dev/random (whatever name it's called by; this
> > code is in an OS-dependent source file that has
> > the appropriate name for the OS in question in it)
> > just about nobody does get stuck with this.
>
> Unless you're AIX, Irix, Solaris....
I'd consider that a fair and reasonable comment if you hadn't
snipped the part of my text where I explicitly pointed out that,
at the moment, FreSSH *does not run on those operating systems* and
that for it to do so, the module containing the function in question
would have to be rewritten.
Someone else stated elsewhere in this thread that NetBSD (one of
the platforms used for FreSSH development, coincidentally) is an
example of a current operating system without a /dev/random. That's
actually false, and in point of fact, with the quick application of
a Sun-provided patch you can even have a /dev/random on Solaris.
Not that that will make FreSSH *build* on Solaris, at least not the
version you'll find in that 0.8 tar file, but we're going to get
that fixed ASAP, too, just like this bug.
> In fact, unless you're anything but BSD44, linux, or svr4, by
> judging by the fressh 0.8 source distribution - those are the only
> 3 operating systems that have sys_sys_XXX.c files.
>
> However, BSD44, Linux, and SVR4 are *not* "just about everybody".
They are, actually, in the context of the current public FreSSH
distribution, "more than everybody" since, as is well-documented,
the SVR4 module doesn't work.
Of course we intend to fix this; in fact, it's pretty much already
fixed, as is the code people are (justifiably) complaining about
in this thread -- even though that code is basically never used. We
are doing everything possible to get our 0.9 release out the door and
it will have this and any other bugs anyone points out to us fixed,
period.
Thor
