[hunchentoot-devel] Patch submission using secure-random in create-random-string
Anton Vodonosov
avodonosov at yandex.ru
Wed Dec 5 03:23:40 UTC 2012
03.12.2012, 08:52, "Sabra Crolleton" <sabra.crolleton at gmail.com>:
> This patch changes the function random-string to use secure-random:number which is a better random number generator.
>
> Anton Vodonosov, since secure-random is your package, I would appreciate your review.
>
> Sabra
Hello.
This fix would be good if secure-random didn't depended on cl+ssl.
Currently secure-random uses cl+ssl random number generator,
so applying this patch will make hunchentoot always unconditionally
depend on cl+ssl, but hunchentoot is supposed to be workable
without cl+ssl (if :hunchentoot-no-ssl is present in *features*).
If application wants to prevent cl:random from session-secret initialization,
than the application can initialize hunchentoot:*session-secret* variable.
That is why the variable is exported and why hunchentoot emits a warning
in case the variable is not initialized.
So I suggest that applications use secure-random to initialize
hunchentoot:*session-secret*.
Or maybe secure-random should be enabled if cl+ssl is enabled
with hunchentoot? Opinions?
Best regards,
- Anton
More information about the Tbnl-devel
mailing list