From https://gitweb.gentoo.org/repo/gentoo.git/commit?id=c0aaf46b750b10842f1436cb5d334c53004b71ff: "Upstream: - Remove backend Weak::rand due to poor quality entropy" We should see if anybody was using this backend (or any other weak backends in this package) and act accordingly.
By the removal of the backend, it means code that explicitly tries to use that backend will break, and code that doesn't explicitly try to use that backend, will not break, and won't get bad randomness. So I don't think this warrants SEC attention, beyond "stablize, get rid of old versions, make sure no rev-deps break"
(In reply to Kent Fredric (IRC: kent\n) from comment #1) > By the removal of the backend, it means code that explicitly tries to use > that backend will break, and code that doesn't explicitly try to use that > backend, will not break, and won't get bad randomness. > > So I don't think this warrants SEC attention, beyond "stablize, get rid of > old versions, make sure no rev-deps break" Okay, sure. I was thinking of other possible consumers for other providers but that's really such a pandora's box.
Though, hmm. https://metacpan.org/pod/Crypt::Random::Source#CAVEATS > In versions prior to 0.13, rand could be used as a result of calling get_weak, > or get, if no random device was available. This implies that not explicitly > asking for get_strong on a non POSIX operating system (e.g. Win32 without > the Win32 backend) could have resulted in non cryptographically random data. But the only place I can see `get_weak` used on CPAN is this line: https://metacpan.org/release/Crypt-Rijndael-PP/source/lib/Crypt/Rijndael/PP.pm#L101 And we don't ship this.
Can we stable this now?
amd64 done
x86 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08625cc452d6994be9556fbdac6217d5d74e9282 commit 08625cc452d6994be9556fbdac6217d5d74e9282 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-05-08 13:04:11 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-05-08 13:04:11 +0000 dev-perl/Crypt-Random-Source: Remove old Bug: https://bugs.gentoo.org/732642 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> .../Crypt-Random-Source-0.120.0.ebuild | 36 ---------------------- dev-perl/Crypt-Random-Source/Manifest | 1 - 2 files changed, 37 deletions(-)
Nothing left to do for us.