<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body style="background-color: rgb(255, 255, 255); color: rgb(0, 0,
0);" bgcolor="#FFFFFF" text="#000000">
Hi Sean, Alex<br>
<br>
Here's a sum-up post:<br>
<br>
<a class="moz-txt-link-freetext" href="http://mail.openjdk.java.net/pipermail/security-dev/2014-June/010700.html">http://mail.openjdk.java.net/pipermail/security-dev/2014-June/010700.html</a><br>
<br>
Regards, Peter<br>
<br>
<br>
<div class="moz-cite-prefix">On 07/14/2014 04:44 PM, Sean Mullan
wrote:<br>
</div>
<blockquote cite="mid:53C3ECC2.8040202@oracle.com" type="cite"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->I
don't see a pointer to the webrev/patch -- did you forget to
include it?
<br>
<br>
--Sean
<br>
<br>
On 07/11/2014 07:33 PM, Martin Buchholz wrote:
<br>
<blockquote type="cite"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->Thanks
to Peter for digging into the secure seed generator classes and
<br>
coming up with a patch. Openjdk security folks, please review.
I confess
<br>
to getting lost whenever I try to orient myself in the twisty
maze of seed
<br>
generator implementation files.
<br>
<br>
Anyways, it seems important to have prngs like ThreadLocalRandom
be able to
<br>
get a few bits of seed entropy without loading hundreds of
classes and
<br>
without occupying any file descriptors permanently. Perhaps at
Google we
<br>
will go back to writing some simple non-portable startup code to
read
<br>
/dev/urandom until openjdk security team comes up with a more
principled
<br>
solution (but one that doesn't drag in too much machinery).
<br>
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
</body>
</html>