You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Rob Tompkins <ch...@gmail.com> on 2019/02/08 12:10:42 UTC
[CANCEL][VOTE] Release Apache Commons Codec 1.12 based on RC2
I’m a -1 as well. I have some ideas here and will wok on those going forward.
-Rob
> On Feb 8, 2019, at 6:41 AM, Gary Gregory <ga...@gmail.com> wrote:
>
> Whatever we do, let's document it as best we can in places users will find
> it.
>
> Gary
>
>> On Fri, Feb 8, 2019, 06:36 sebb <sebbaz@gmail.com wrote:
>>
>> -1 to the release:
>> I don't think we can release the code as is; it is bound to cause
>> significant delays on some systems.
>>
>> I think we need to establish whether using 'new SecureRandom()'
>> instead of SecureRandom.getInstanceStrong() makes the long delays go
>> away.
>>
>> Then we need to establish whether we really need
>> SecureRandom.getInstanceStrong().
>> From what I read in the link posted by Bruno:
>>
>> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
>> and linked posts such as:
>> https://www.2uo.de/myths-about-urandom/
>>
>> it looks like 'new SecureRandom()' would be just as good for our purposes.
>>
>> S.
>>
>>> On Fri, 8 Feb 2019 at 11:12, Gary Gregory <ga...@gmail.com> wrote:
>>>
>>>> On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <gilleseran@gmail.com wrote:
>>>>
>>>> Hello Bruno.
>>>>
>>>> Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <ki...@apache.org> a
>>>> écrit :
>>>>>
>>>>> Hi,
>>>>>
>>>>> Had a bit of spare time to investigate this one (almost end of Friday
>>>> for me anyway, hooray!).
>>>>>
>>>>> There are two unit tests in Sha512 hanging for me in Eclipse,
>>>> testSha512CryptExplicitCall and testSha512CryptNullData. The code that
>> the
>>>> test uses and hangs in my JVM can be simplified to:
>>>>>
>>>>> ```
>>>>> String salt = B64.getRandomSalt(8);
>>>>> System.out.println(salt); // never seen
>>>>> ```
>>>>>
>>>>> Looking at B64, we have this: `SecureRandom.getInstanceStrong()`,
>> which
>>>> is the random object. Used to randomly pick a letter of the B64
>> alphabet.
>>>>
>>>> Where is that code?
>>>>
>>>>
>> https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12
>>>
>>>
>>> That should be an array, not a string IMO.
>>>
>>> Gary
>>>
>>>>
>>>>
>>>> Gilles
>>>>
>>>>>
>>>>> It appears this one may take a long time in some systems due to low
>>>> entropy. i.e. it tries to gather more random data to give you a really
>>>> strong random... only that it appears to take a long long time for my
>> JVM.
>>>>>
>>>>> Cheers
>>>>> Bruno
>>>>>
>>>>>
>>>>
>> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <
>>>> chtompki@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Feb 7, 2019, at 8:17 PM, sebb <se...@gmail.com> wrote:
>>>>>>
>>>>>> It builds fine on ubuntu trusty with Java 8
>>>>>
>>>>> Agree
>>>>>
>>>>>>
>>>>>>
>>>>
>> https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
>>>>>>
>>>>>> Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to
>> see
>>>>>> where the code is hanging?
>>>>>>
>>>>>> Or can you run the test in an IDE that allows you to interrupt it
>> if
>>>> it hangs?
>>>>>>>> [...]
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org