You do realize you're trying to explain why the biggest online forum in the world is badly designed and should change, right? It's not just "popular", it really is the biggest, and that's with being limited to an almost entirely Japanese audience.
I know Futaba is an offshoot of 2channel, but that wasn't the point. The point was that 4chan was started specifically as an English version of Futaba, and not as anything to do with 2channel. The 2channel-style text boards were added later on.
No, it is not. Futaba Channel is the forefather of 4chan. It has the domain name "2chan.net", but it is never, ever referred to as "2chan" in Japan, only "Futaba Channel".
Furthermore, not even Futaba Channel is all that much like 4chan. It doesn't have a "/b/" - it has several boards with that in the URL, but they are quite different beasts in practice. They are not named "Random" or anything like it, either, but "nijiura".
No, we did not. We discovered that if you keep loudly shouting every possible idea, sooner or later one of them will sound a little bit like the truth.
OpenSSL definitely used uninitialized memory for randomness. This was optional, and there was a flag to turn it off during compilation, because it made valgrind complain.
However, Debian did not use this flag, but tried to comment the offending lines out themselves. However, they commented out more than they should, and rendered the whole code non-functional.
No, *this* bug. Nothing should ever depend on the value of uninitialized memory, and if clearing it produced a security flaw then there was one there already. Unless it was actually cleared after being filled from/dev/random or something, but then there shouldn't have been a valgrind warning in the first place. Uninitialized memory was only being used as an extra source of randomness. There was a compile-time flag to turn this off to make debuggers stop complaining.
However, Debian didn't use this flag, but instead tried to comment out the code themselves. And they commented out too much, breaking the whole thing completely.
Actually, looking closer, the real problem was not that they removed the uninitialized memory use (which was just there because it couldn't hurt with a little extra randomness), but that they also removed OTHER sources of randomness due to incredible stupidity.
Slashdot Mirror
You do realize you're trying to explain why the biggest online forum in the world is badly designed and should change, right? It's not just "popular", it really is the biggest, and that's with being limited to an almost entirely Japanese audience.
You'd better go read and comprehend the discussion you are replying to.
Please pay attention to who I was responding to.
Futaba and 2channel are quite dissimilar. And dis.4chan.org is many years younger than 4chan itself.
"Do some fucking research?" That's hilarious. Try clicking that "homepage" link.
I know Futaba is an offshoot of 2channel, but that wasn't the point. The point was that 4chan was started specifically as an English version of Futaba, and not as anything to do with 2channel. The 2channel-style text boards were added later on.
"Troll"? It's basic facts. Slashdot is a far smaller site than 2channel.
No, it was not. It was created as an English version of Futaba Channel, a completely different site.
No, it is not. Futaba Channel is the forefather of 4chan. It has the domain name "2chan.net", but it is never, ever referred to as "2chan" in Japan, only "Futaba Channel".
Furthermore, not even Futaba Channel is all that much like 4chan. It doesn't have a "/b/" - it has several boards with that in the URL, but they are quite different beasts in practice. They are not named "Random" or anything like it, either, but "nijiura".
Slashdot is peanuts compared to 2channel.
So with no wealth to be made, this does not actually sound like a frontier at all.
Perfectly USELESS!
You don't need to be perfect to be useful.
Feeling just a little bit defensive, are we?
No, Slashdot is just broken. It doesn't get you exactly that. There's no "curren" or "quot" in it.
No, we did not. We discovered that if you keep loudly shouting every possible idea, sooner or later one of them will sound a little bit like the truth.
Ok, that was an entirely depressing display of Linux-nerd close-mindedness.
Wow, you're not just a little presumptuous. So using Linux is the only way to be "creative, inquisitive and independent minded"?
Please read the other replies in this thread. I am getting tired of answering this.
It does not hurt to use it as an addition source of randomness.
Please read the other replies to this post, I am getting tired of answering this.
No.
Appropriate sources of randomness were used, in addition to uninitialized memory. Debian removed both, it turns out.
That is pretty much completely wrong.
OpenSSL definitely used uninitialized memory for randomness. This was optional, and there was a flag to turn it off during compilation, because it made valgrind complain.
However, Debian did not use this flag, but tried to comment the offending lines out themselves. However, they commented out more than they should, and rendered the whole code non-functional.
Here is the actual patch:
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c
Note the lack of memset() or XOR loops.
However, Debian didn't use this flag, but instead tried to comment out the code themselves. And they commented out too much, breaking the whole thing completely.
Actually, looking closer, the real problem was not that they removed the uninitialized memory use (which was just there because it couldn't hurt with a little extra randomness), but that they also removed OTHER sources of randomness due to incredible stupidity.
Yes, I looked closer at the patches, and you're right. There was a suggested patch to clear the memory before use, which was rejected.
That would have been dumb, but not catastrophic, like what they finally did was.