Re: [PATCH] OpenBSD Networking-related randomization port
From: Bill Davidsen
Date: Tue Feb 01 2005 - 09:53:51 EST
Arjan van de Ven wrote:
On Fri, 2005-01-28 at 18:17 +0100, Lorenzo HernÃndez GarcÃa-Hierro
wrote:
Hi,
Attached you can find a split up patch ported from grSecurity [1], as
Linus commented that he wouldn't get a whole-sale patch, I was working
on it and also studying what features of grSecurity can be implemented
without a development or maintenance overhead, aka less-invasive
implementations.
why did you make it a config option? This is the kind of thing that is
either good or isn't... at which point you can get rid of a lot of, if
not all the ugly ifdefs the patch adds.
If there is a performance hit (there is), it's not bad to have it be an
option, since some people will choose to go fast ("damn the torpedos,
full speed ahead). Your point on ifdefs *may* be able to be addressed
somewhat by putting them in macros, or similar tricks. But some are
going to be visible even so, and you're right, they are distracting.
Also, why does it need to enhance the random driver this much, the
random driver already has a facility to provide pseudorandom numbers
good enough for networking use (eg the PRNG rekeys often enough with
real entropy that brute forcing it shouldn't be possible).
I'm curious about this one as well, unless there's some proof that the
output is "better" by actual analysis, why change? And that's better in
terms of realized security, not by some change in the 5th insignificant
digit of a statistical measure.
In general I do like to have the option of more security as a tradeoff,
even if it is more than is generally needed.
--
-bill davidsen (davidsen@xxxxxxx)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/