gerrit-oauth-provider icon indicating copy to clipboard operation
gerrit-oauth-provider copied to clipboard

Published 20 hours ago verified publisher icon davido

OAuth provider should allow use of /dev/urandom

Open mwebber opened this issue 8 years ago • 3 comments

This issue is a follow-up to issue #40, and specifically motivated by this comment.

Background: see the article https://www.2uo.de/myths-about-urandom/

Rather than using the blocking /dev/random, Gerrit OAuth should use of non-blocking /dev/urandom, which avoids the risk of Gerrit hanging when a user signs in. This could be controlled by a system setting oauth.useUrandom (defaulting to false).

The only reason to use the old /dev/random is if your Gerrit installation is on a virtual machine and you do not properly seed the random generator (as explained at the end of the article referred to above).

mwebber avatar Aug 15 '17 08:08 mwebber

Thanks for the suggestion. You mean that we should introduce new configuration option in this plugin oauth.useUrandom?

davido avatar Aug 15 '17 10:08 davido

You mean that we should introduce new configuration option in this plugin oauth.useUrandom?

That was my first idea. But maybe other parts of Gerrit also use /dev/random, in which case it should be in a different config section (not oauth), maybe core.useUrandom or os.useUrandom.

(I haven't looked across the Gerrit code base to see where /dev/random is used)

mwebber avatar Aug 15 '17 10:08 mwebber

A workaround also could be to run haveged when running on VMs that are often low on entropy.

kunickiaj avatar Oct 17 '17 16:10 kunickiaj