Open mwebber opened 7 years ago
Thanks for the suggestion. You mean that we should introduce new configuration option in this plugin oauth.useUrandom
?
You mean that we should introduce new configuration option in this plugin
oauth.useUrandom
?
That was my first idea.
But maybe other parts of Gerrit also use /dev/random
, in which case it should be in a different config section (not oauth
), maybe core.useUrandom
or os.useUrandom
.
(I haven't looked across the Gerrit code base to see where /dev/random
is used)
A workaround also could be to run haveged when running on VMs that are often low on entropy.
This issue is a follow-up to issue #40, and specifically motivated by this comment.
Background: see the article https://www.2uo.de/myths-about-urandom/
Rather than using the blocking
/dev/random
, Gerrit OAuth should use of non-blocking/dev/urandom
, which avoids the risk of Gerrit hanging when a user signs in. This could be controlled by a system settingoauth.useUrandom
(defaulting tofalse
).The only reason to use the old
/dev/random
is if your Gerrit installation is on a virtual machine and you do not properly seed the random generator (as explained at the end of the article referred to above).