bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

[John Wiegley]

>>>>> Eli Zaretskii <eliz@gnu.org> writes:

> We have what we need; calling gnutls_rnd changes nothing in this regard.
> It's just a more complex way of issuing the same system calls. It buys us
> nothing in terms of security and performance, while we sustain the price of
> having core functionality that must run at startup crucially depending on a
> 3rd party library we don't control.

> John, I feel this decision is wrong and the changes that prefer gnutls_rnd
> should be reverted. Maybe I'm the only one who cares, but then Paul is the
> only one who felt the need to make that change. I'd like to hear your take
> on this, please.

From what I've read, I agree with you Eli. If we can open /dev/urandom, why do
we need a dependency on GnuTLS to effectively do the same thing?

What critical feature is GnuTLS buying for us that would make this worthwhile,
Paul?

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

signature.asc
Description: PGP signature