[security-dev 00645]: Re: Please review:

Weijun Wang Weijun.Wang at Sun.COM
Mon Mar 2 23:36:47 PST 2009

Xuelei Fan wrote:
> Max,
> I'm not satisfied with the fix, it try to read the *first* 1024 files in
> the "java.io.tmpdir", I don't know the order of the iterator of
> java.nio.file.Path.newDirectoryStream(), but if the order sounds like by
> name, by creation time, etc. I don't think the randomness is strong enough.

Correct. On a server with too many tmp files not get deleted, the first
1024 will always be the same.

New webrev:

Now I choose the file for random. To be 100% identical to the old codes
when there are not many files, I always choose the first 512 files.

> We talked about the bug around July, 2008 (Subject: SHA1PRNG
> SecureRandom architecture). Brad suggested remove the java.io.tmpdir
> stuff completely, while I think maybe we need the randomness of them. We
> got no conclusion on the discuss.
> I would prefer remove the stuff now.

Well, I don't know. More random facts bring more randomness, and I dare
out remove any of them without a theoretical computation.


> Thanks,
> Andrew
> Weijun Wang wrote:
>> Hi All
>> A code review request for
>>    6705872 SecureRandom number init is taking too long
>>       on a java.io.tmpdir with a large number of files.
>>    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6705872
>> Webrev is at:
>>    http://cr.openjdk.java.net/~weijun/6705872/webrev.00/
>> The threshold 1024 is a randomly chosen big enough number.
>> Thanks
>> Max

More information about the security-dev mailing list