[hunchentoot-devel] Patch submission using secure-random in create-random-string

Anton Vodonosov avodonosov at yandex.ru
Wed Dec 5 03:23:40 UTC 2012


03.12.2012, 08:52, "Sabra Crolleton" <sabra.crolleton at gmail.com>:
> This patch changes the function random-string to use secure-random:number which is a better random number generator.
>
> Anton Vodonosov, since secure-random is your package, I would appreciate your review.
>
> Sabra

Hello.

This fix would be good if secure-random didn't depended on cl+ssl.

Currently secure-random uses cl+ssl random number generator,
so applying this patch will make hunchentoot always unconditionally
depend on cl+ssl, but hunchentoot is supposed to be workable
without cl+ssl (if :hunchentoot-no-ssl is present in *features*).

If application wants to prevent cl:random from session-secret initialization,
than the application can initialize hunchentoot:*session-secret* variable.
That is why the variable is exported and why hunchentoot emits a warning
in case the variable is not initialized.

So I suggest that applications use secure-random to initialize 
hunchentoot:*session-secret*.

Or maybe secure-random should be enabled if cl+ssl is enabled
with hunchentoot? Opinions?

Best regards,
- Anton




More information about the Tbnl-devel mailing list