Jon Marks <j-marks@uiuc.edu> writes:
> The best solution seems to be building more flexible PRNG initialization
> into libpq itself.
The thing that sticks in my craw about OpenSSL's approach to this is
that they assume application programmers (or database interface library
programmers, in this case) know more about how to find a suitable source
of randomness than the OpenSSL library does. That strikes me as
completely wrong, not to say an abdication of responsibility for correct
operation of their library. If it's a hard problem, why do they think
that application programmers (who presumably know little about crypto)
are more likely to get it right than they are?
I have heard that the next release of OpenSSL is going to fix this
problem, and so I'm not inclined to patch around it in our code.
regards, tom lane
