WARN <qof.engine> [guid_init()] only got xxxx bytes. The identifiers might not be very random.

Phil Longstaff plongstaff at rogers.com
Mon Mar 7 14:42:55 EST 2011 

Can the qof guid library be replaced by libuuid on linux?

 Phil
---------
I used to be a hypochondriac AND a kleptomaniac. So I took something for it.




________________________________
From: Phil Longstaff <plongstaff at rogers.com>
To: Geert Janssens <janssens-geert at telenet.be>
Cc: Gnucash Devel <gnucash-devel at lists.gnucash.org>
Sent: Mon, March 7, 2011 2:34:15 PM
Subject: Re: WARN <qof.engine> [guid_init()] only got xxxx bytes. The 
identifiers might not be very random.

It seems to me that a guid is a guid.  Can you just use the win32 function 
UuidCreate()?

Phil
---------
I used to be a hypochondriac AND a kleptomaniac. So I took something for it.




________________________________
From: Geert Janssens <janssens-geert at telenet.be>
To: gnucash-devel at gnucash.org
Sent: Mon, March 7, 2011 2:23:27 PM
Subject: WARN <qof.engine> [guid_init()] only got xxxx bytes. The identifiers 
might not be very random.

... A warning that will appear in every trace file on Windows. We have all 
learned to ignore it.

Unfortunately, it was a sign of a deeper underlying problem I'd like to 
discuss here a bit more.

We all know GnuCash uses GUID's to uniquely identify its internal objects. 
These GUID's are generated based on some random number generator [1]. To 
generate good random GUID's this generator is seeded with some randomness from 
many different sources [2]. So far so good.

These sources are amongst others
* /dev/urandom (the system's non-blocking random number generator on unix like 
architectures),
* a number of files that are generally known to have data that differs from 
machine to machine and evolves randomly in time (/etc/password, several files 
under /proc/ and so on
* a number of directories from which the contents are hardly predictable 
(again /proc and several of its descendants, /tmp)...
* several others, not really relevant for this mail.

The problem with the mentioned sources so far is that they all exist on most 
unix-like systems (linux, OS X, *BSD), but not on Windows.

The result is that on Windows the init function doesn't generate a sufficient 
amount of random numbers to seed the generator. Hence the warning.

I would never have come up with the idea to look into this if I wasn't lead to 
this very intialization function while tracking a bug on Windows [3]. And for 
those interested: the guid_init function causes *internet* traffic on a 
Windows box. Probably no successful connections though, but it does in some 
way trigger the system to hit the network. All because the guid_init function 
assumes to be in a unix-like environment.

The bug is worked around now (I hope), but the core issue still remains: the 
guid_init function is not well adapted for Windows.

The solution: add some code that does similar things but with Windows friendly 
alternatives. /dev/urandom can be replaced on Windows with RtlGenRandom for 
example, and I'm sure we can come up with a number of files and directories 
that can be considered unpredictable on Windows.

And right about then, I paused. Looking at all these randomness attempts I'm 
wondering if this is really all necessary. The routine is built to generate 
cryptographically safe random numbers. But we're not into cryptography here 
are we ? As far as I know we don't really care if the generation process is 
predictable, as long as it continue to generate unique numbers. As far as I 
know, we only care to get numbers that are unique. Can't we achieve this with 
less complicated methods ? I imagine that a combination of /dev/urandom (or 
RtlGenRandom), some date-time information and some other universally available 
things like process ID, last generated GUID should together be sufficiently 
random ?

Perhaps I'm opening a can of worms here, I don't know. I'm not really a random 
generator expert.

If that's not sufficient, can someone suggest me some files and directories 
that can be used on Windows to seed the random generator ?

Geert

[1] http://svn.gnucash.org/trac/browser/gnucash/trunk/src/libqof/qof/guid.c
[2] 
http://svn.gnucash.org/trac/browser/gnucash/trunk/src/libqof/qof/guid.c#L361
[3] https://bugzilla.gnome.org/show_bug.cgi?id=521817
_______________________________________________
gnucash-devel mailing list
gnucash-devel at gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel
_______________________________________________
gnucash-devel mailing list
gnucash-devel at gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

More information about the gnucash-devel mailing list