apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: PR #44881
Date Fri, 02 May 2008 10:51:57 GMT
Joe Orton wrote:

> In retrospect, I don't think it's a good idea for APR to venture further 
> into this domain without a thorough review of what different randomness 
> sources are available on different OSes, what are the common 
> denominators, etc. The previous effort at providing something more 
> general here is completely unused (apr/random) and been a waste of space 

Tomcat advertises itself as offering "Secure session ID generation by 
default on all platforms (platforms other than Linux required random 
number generation using a configured entropy)" when APR is enabled 
within Tomcat.

They don't mention exactly which part of APR they are using to do this, 
but if it is apr/random, then it is being used.

What would be useful is a function which would return true if random 
number generation is crypto safe on that platform. At the very least, 
the user of the library gets no surprises as to the quality of the 
numbers they get.


View raw message