[Bug-gnubg] Serious bug: Random.org - Important Request for Comments

[Michael Petch]

Today this bug appeared on our tracking system
(https://savannah.gnu.org/bugs/?43997)

"Of late the programme picks up the same old dice numbers and not random
eg: w 3.1, b4.1, w2.2, b6.2.... This does not give confidence on
'cheating' its hard enough to win anyway!
The same applies on my laptop win 8.1 64 bit.
Any thoughts on how to regenerate true random numbers apart from manual
throwing?
Rgds"

I have confirmed that this is the case. I quickly discovered that we
don't retrieve values from Random.org anymore because of a permanent URL
redirect that requires https rather than http. We don't support 'https',
just 'http' . It appears we quietly fall back to a PRNG with a fixed
seed (so the values generated always seem to be the same). We should
probably be a bit smarter about falling back to a PRNG and probably let
the user know.

The primary issue is that we now have to support https. This is non
trivial if we roll our own. My request for comments is regarding how we
should go about resolving this. The first thing that I am considering is
using libcurl: http://curl.haxx.se/libcurl/

It is file transfer protocol that supports a variety of internet
protocols including http and https. The the TLS support can come from a
number of backend libraries such as OpenSSL and GNUtls.One other things
is that libcurl handles things like HTTP redirects etc.

The downside is that we add some more dependencies to GNUbg. We'll
require libcurl(and anything it depends on) if a user wants Random.org
support . We'd have to check for libcurl (and that it support SSL)
during the ./configure process.

There are some potential licensing issues with libcurl. It primarily has
to do with releasing binaries that use OpenSSL for TLS on the back end
when linked with GPL code. There is one possible solution. Use GNUtls as
a back end. Unfortunately it may be (and I have to look into it) the
Windows (MingW builds) and/or OS/X may be using OpenSSL. Whether they
can be easily changed I can't say. Projects like 'wget' have been using
a special exemption to deal with this in their license:

"In addition, as a special exception, the Free Software Foundation gives
permission to link the code of its release of Wget with the OpenSSL
project's "OpenSSL" library (or with modified versions of it that use
the same license as the "OpenSSL" library), and distribute the linked
executables. You must obey the GNU General Public License in all
respects for all of the code used other than "OpenSSL". If you modify
this file, you may extend this exception to your version of the file,
but you are not obligated to do so. If you do not wish to do so, delete
this exception statement from your version."

Does anyone have any other suggestions (beyond libcurl) or have any
comments on this issue in general? I'd like to hear them before I look
at producing a fix.

Thanks,
-- 
Michael Petch
GNU Backgammon Maintainer / Developer
OpenPGP FingerPrint=D81C 6A0D 987E 7DA5 3219 6715 466A 2ACE 5CAE 3304