[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: maradns reproducibility fixes and the merits of picking a random num

From: Felix Lechner
Subject: Re: maradns reproducibility fixes and the merits of picking a random number
Date: Mon, 6 Jun 2022 20:24:22 -0700


On Mon, Jun 6, 2022 at 6:50 PM Vagrant Cascadian
<> wrote:
> So, Debian's maradns package just removes this embedding of a "random"
> number, and I've basically adapted their patches to build reproducibly
> on guix too... by basically embedding the same "random" number every
> single build!

There may be more than one opinion, but as the maintainer of a TLS
library in Debian I think it is a questionable tradeoff. At a minimum,
it would be preferable to use the version number instead of a fixed
constant for all releases.

MaraDNS does not support DNSSEC so the program may not use entropy for
keys. Either way, I'd rather use an unreproducible build than,
accidentally, a known number series to encrypt secrets. Can one patch
out the constant entirely so it is no longer available?

The upstream website says: "People like MaraDNS because it’s ...
remarkably secure." [1] Since many distributions have the same issue,
upstream could perhaps offer the patch as a build switch to enable a
build-time seed only when needed.

Thank you for your hard work on Guix! As a newbie I'll say, what a
great distro. Thanks, everyone!

Kind regards,
Felix Lechner


reply via email to

[Prev in Thread] Current Thread [Next in Thread]