FAQ
Question: Is there a nonzero chance of a PHP application running at boot
time on an older GNU/Linux machine? If so, should we adopt this "unseeded
CSPRNG" mitigation employed by libsodium for ancient Linux kernels?

https://github.com/jedisct1/libsodium/issues/374
https://github.com/jedisct1/libsodium/commit/c752eb55d9e9992bc38e7790128953427aa0a89f

This could be done as a security patch for PHP 7.0.x if there's any concern
about startup entropy e.g. on embedded devices.

I'm not aware of any such projects being written in PHP, so my intuition is
this is a non-issue for us.

Regards,

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

Search Discussions

  • Stanislav Malyshev at May 22, 2016 at 5:05 am
    Hi!
    Question: Is there a nonzero chance of a PHP application running at boot
    time on an older GNU/Linux machine? If so, should we adopt this "unseeded
    CSPRNG" mitigation employed by libsodium for ancient Linux kernels?

    https://github.com/jedisct1/libsodium/issues/374
    https://github.com/jedisct1/libsodium/commit/c752eb55d9e9992bc38e7790128953427aa0a89f

    This could be done as a security patch for PHP 7.0.x if there's any concern
    about startup entropy e.g. on embedded devices.
    If they're running Linux kernel that deserves to be called "ancient",
    wouldn't they also run old PHP? In any case, from the problem
    description, it looks like the problem happens "on early boot". I don't
    see how you can get to run PHP code before you get way, way beyond early
    boot.
    I'm not aware of any such projects being written in PHP, so my intuition is
    this is a non-issue for us.
    I agree, this appears to be non-issue for PHP.

    --
    Stas Malyshev
    smalyshev@gmail.com
  • Julien Pauli at May 23, 2016 at 8:06 am

    On Sun, May 22, 2016 at 7:04 AM, Stanislav Malyshev wrote:
    Hi!
    Question: Is there a nonzero chance of a PHP application running at boot
    time on an older GNU/Linux machine? If so, should we adopt this "unseeded
    CSPRNG" mitigation employed by libsodium for ancient Linux kernels?

    https://github.com/jedisct1/libsodium/issues/374
    https://github.com/jedisct1/libsodium/commit/c752eb55d9e9992bc38e7790128953427aa0a89f

    This could be done as a security patch for PHP 7.0.x if there's any concern
    about startup entropy e.g. on embedded devices.
    If they're running Linux kernel that deserves to be called "ancient",
    wouldn't they also run old PHP? In any case, from the problem
    description, it looks like the problem happens "on early boot". I don't
    see how you can get to run PHP code before you get way, way beyond early
    boot.
    I'm not aware of any such projects being written in PHP, so my intuition is
    this is a non-issue for us.
    I agree, this appears to be non-issue for PHP.
    Same thinking here => we're not concerned.


    Julien.Pauli

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedMay 21, '16 at 8:46p
activeMay 23, '16 at 8:06a
posts3
users3
websitephp.net

People

Translate

site design / logo © 2018 Grokbase