February 2015 Archives

我有一心得和大家分享一下,话说三个人一起坐一电梯上,其中一个一直跳一直跳,一个蹲在角上一直祈祷,一个满地打滚手脚抽搐,最后都到了十二楼,若干年以后有人问为什么您能到楼上啊?第一个人说,我坚持不懈的努力,和大自然对抗,力竭也不放弃,最终达到了这个巅峰,第二个人说,我真诚而且坚持,我坚持自己的信仰从未忘记初心,第三个人说,我反直觉反传统反对一切,于是创造了完全不可思议的结果。我看很多商业书籍就这感觉,你们几位不聊聊电梯这事到底几个意思?

今天 John-Mark Gurney 修正了一个影响过去4个月左右的 FreeBSD -CURRENT 的随机数发生器问题,具体受影响的版本是 r273872(引入问题)到 r278907 (修正)。

由于问题只影响 -CURRENT,因此我们不会就此发表安全公告。

问题的影响:在对随机数发生器 (/dev/random)进行重构的过程中,原先为内核 arc4random(9) API 进行初始化(seeding)的部分没有正确地在新的随机数处理器上线(randomdev_init_reader)时进行配置,导致内核一直使用 dummy RNG 来生成 arc4random(9) 的种子。由于 dummy RNG 的输出范围有限(大约 2^30),导致 arc4random(9) 的输出容易预测。

由于 arc4random(9) 同时也用来在用户态代码中产生随机数种子,因此这个问题也连带影响了用户态的随机数生成(由于 arc4random(9) 在内核中被广泛使用,因此或多或少地减弱了这个问题的实际影响,但我们建议用户不要因此而产生侥幸心理)。

我们建议使用这些版本的 FreeBSD -CURRENT 的用户 立即 升级到最新的 -CURRENT,同时销毁并重新生成在这段时间内生成的全部私钥。

翻了个船,记一笔。题目如题。

逗死我了......

| No Comments | No TrackBacks

对口相声选段:Node.js Is Bad Ass Rock Star Tech。视频:

p1: And in conclusion we have found Apache to be an excellent server for our web applications. Any questions?

p2: Yes, I have a question. Why didn't you use node.js? node.js is an event driven, non-blocking IO server that can be used to build high-performance web applications.

p1: That is an excellent question. We evaluated several alternative web servers and concluded, that while options like node.js are very interesting, Apache meets our needs and has a solid track record.

p2: But it doesn't have performance. Everybody knows that Apache applications are slow because they use blocking IO and have context switches.

p1: That's a commonly held belief that threaded web servers are somehow less performant or as scalable than event based servers. In fact, if you measure carefully, you will find that both models have similar performance characteristics.

p2: Threads don't scale. Simple as that.

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.2.11