Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a section about working with Random in native #26843

Closed
wants to merge 1 commit into from
Closed

Add a section about working with Random in native #26843

wants to merge 1 commit into from

Conversation

sberyozkin
Copy link
Member

Fixes #26835

@sberyozkin sberyozkin requested a review from zakkak July 20, 2022 13:44
gsmet
gsmet requested changes Jul 20, 2022
View reviewed changes
Copy link
Member

@gsmet gsmet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, I agree we should have something but I don't like the wording of this proposal that much. I'll try to come up with something.

docs/src/main/asciidoc/writing-native-applications-tips.adoc
@@ -330,6 +330,17 @@ and in the case of using the Maven configuration instead of `application.propert
----
====

=== Working with Random and SplittableRandom

If your native application is initialized at build time and has static `java.util.Random` or `java.util.SplittableRandom` instances then its native build will fail because embedding such instances in native image will result in the same cached seed value be reused which will negatively affect the entropy (randomness) quality of the produced values.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is highly confusing: If your native application is initialized at build time.

You don't have the option in Quarkus to initialize "your application" at build time or runtime.

Copy link
Member Author

@sberyozkin sberyozkin Jul 20, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gsmet Sure, this is a general point I've tried to convey from the tutorial.

So, may be just If your native application has static ..., omitting is initialized at build time, please suggest an update. Or If some classes in your native application have static ..., etc, of whatever you prefer, I don't mind :-)

docs/src/main/asciidoc/writing-native-applications-tips.adoc
There is a number of techniques that can be used to have static `Random` and `SplittableRandom` instances securely used in native images:
* Do the runtime initialization instead of the build-time initialization
* Keep the build-time initialization but request a runtime re-inititalization of the affected classes
* Substitute instances of `Random` and `SplittableRandom` with `null`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is it a workable option? The chances that they are not actually used are extremely narrow.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gsmet For example, there were Random instances used from a test algorithm code in BC FIPS case, https://github.com/quarkusio/quarkus/blob/main/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/graal/BouncyCastleSubstitutions.java#L24, cases like that...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and also for the 1st option, expand a bit, Do the runtime initialization of the affected classes, and the same for the 2nd option

@zakkak
Copy link
Contributor

zakkak commented Jul 20, 2022

Hmmm, I agree we should have something but I don't like the wording of this proposal that much. I'll try to come up with something.

I agree. I will wait for a new version or @gsmet's proposal to review. Thanks for the PR @sberyozkin.

@sberyozkin
Copy link
Member Author

Np, lets tune it to make it technically precise

@gsmet gsmet mentioned this pull request Aug 3, 2022
Merged
@gsmet
Copy link
Member

gsmet commented Aug 3, 2022

Superseded by #27106 .

@gsmet gsmet closed this Aug 3, 2022
@quarkus-bot quarkus-bot bot added triage/invalid This doesn't seem right and removed triage/backport? labels Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsmet gsmet gsmet requested changes

@zakkak zakkak Awaiting requested review from zakkak

Assignees
No one assigned
Labels
area/documentation triage/invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
3 participants
@sberyozkin @zakkak @gsmet