[Ur] openid fails to build on OS X
Adam Chlipala
adamc at impredicative.com
Sun Jul 17 07:25:58 EDT 2011
Robin Green wrote:
> On Sat, 16 Jul 2011 17:01:12 -0500, austin seipp<as at hacks.yi.org> wrote:
>
>> Robin, while I understand the principle behind the secure comparison
>> function (to avoid a timing attack based on string length,) is there a
>> particular reason you need GCC to optimize at level 0? Or is it just
>> the fact you don't want anything happening under your nose?
>>
> It's really just paranoia about future versions of GCC or other
> compilers doing some clever optimisation that makes a timing attack
> possible. I think you can just remove the GCC-specific attribute.
>
I'm happy to prepare a Mercurial changeset myself which removes that
annotation, or to accept one from one of you. Let me know how you'd
like to proceed.
I'm counting on y'all to make sure this change doesn't reopen the timing
attack that motivated Robin's patch.
More information about the Ur
mailing list