OpenBSD Will Not Fix PRNG Weakness

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

Re:Uh what ... yeah

[RedK]

Apple are free to release their putative fix to the community, or not - their free choice. That's one more freedom, relative to being obliged to release any changes they make which lead to a binary release outisde of Apple, which the GPL would oblige.

There are plenty of folk who see that as a feature not a flaw. Your view of the freedom offered by the GPL is flawed my little BSD troll. How you managed to get that high of a score on your post shows how many of the little devils have moderation points today.

The GPL isn't about developper freedom, it's about the code's freedom. No matter who decides to pick up and distribute a fork of your project, your users are always sure the source will remain open if the corporate entity decides that it no longer wants to distribute its forks. Hence, they are assured that the modifications done over time are always available and can be included in the main tree of your project if need be.

There are plenty of folk who see that as a feature, not a flaw.