cvs commit: src/games/fortune/fortune fortune.c

Pawel Jakub Dawidek pjd at FreeBSD.org
Sun Jul 24 18:19:15 GMT 2005


On Sun, Jul 24, 2005 at 04:06:02PM +0200, Poul-Henning Kamp wrote:
+> In message <20050724135738.GM46538 at darkness.comp.waw.pl>, Pawel Jakub Dawidek writes:
+> 
+> >We should probably test entropy quality on boot.
+> >I've somewhere userland version of /sys/dev/rndtest/ which implements
+> >FIPS140-2 tests for (P)RNGs. We can use put it into rc.d/ and warn users.
+> 
+> We also need to put code into exec(2) to verify that the binary we're about
+> to execute does not suffer from Turings halting problem (ie: contains no
+> endless loops) 
+> 
+> We might as well inspect for buffer overflows at the same time.
+> 
+> Anyway, back in this universe:  We should not stick a lot of stuff into
+> our boot-time scripts, they are slow enough already.

I think such a tool will be still useful (even if not turned on by default),
so one can turn it on when thinks it's needed:
- on production machines,
- on first start of rc.d/sshd (when you host keys are generated),
- when you need to check if PRNG is the thing which makes your fortune
  not to work properly (or instrument the user how to do it easly).
etc.

We (FreeBSD) did a lot of work to have really good PRNG, so its sucks
when it just doesn't work.

PS. CCing freebsd-security at .

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20050724/0fa6668f/attachment.bin


More information about the cvs-src mailing list