[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Konrad Rosenbaum
konrad at silmor.de
Mon Feb 10 08:58:38 CET 2014
Hi,
I'll have to read and analyze this code in more detail to give you a qualified
opinion. I'll do this later...
On the surface it looks a bit complicated and I'm not entirely sure about the
seeding, but I'll have to study the API first to make sure.
On Sunday, Sunday 09 February 2014 at 22:40, Kurt Pattyn wrote:
> If the above implementation suffices, then a virtual method would not be
> needed anymore.
Please use the virtual method anyway. Yes, it adds about two more instructions
and a memory access for every call to this method, but security-wise it is
worth it.
You can never assume code to be absolutely secure, just secure enough for a
particular purpose that you can envision under the constraints of the
knowledge you currently possess. Providing an overridable virtual method gives
users with stronger requirements (or with more paranoid bosses) sufficient
freedom to implement those requirements.
Incidentally it gives you an excuse to cop out of security discussions... ;-)
> Should I fall back to the ordinary qrand() when the other methods fail?
Yes.
Konrad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140210/43d961f2/attachment.sig>
More information about the Development
mailing list