|
From: Dirk S. <val...@ds...> - 2008-05-14 07:09:26
|
On Tue, 13 May 2008, Christoph Bartoschek wrote: > I've read about the debian SSL bug. http://wiki.debian.org/SSLkeys > > There they state: > > It is important to understand that this problem was caused by trying to remove > valgrind warnings related to the use of uninitialised memory within the > openssl libraries. > > > Apparently they disabled to many seeds with the patch. Unfortunately origin > tracking comes too late. :) After I read the rants against Debian, I ask myself why not one of the OpenSSL authors actually agreed, that taking uninitialised memory is no good idea (as it is in no way random). They should have replaced that code long ago by better randomness. I really hate these library authors not caring for valgrind and memory checks. So many problems in glib, x-libs and others which make debugging own applications a very hard task. And the result are many memory holes and illegal accesses in all the GUI applications using these libraries (or am I the only one who finds it hard to debug e.g. a Qt/KDE program using valgrind). Reminds me of the Amiga, where program authors used direct ROM calls and other evil things and then blamed the operating system for changing instead seeing problems in their own programming style. Ciao -- http://www.dstoecker.eu/ (PGP key available) |