@saagar OpenSSL did this iirc and debian broke it by trying to fix it. Maybe that was just uninitialized memory but I think that's a kind of undefined behavior.

@wyatt8740 Trying to use undefined behavior in your code for intended functionality is generally a bad idea

@saagar It was essential to the design of OpenSSL because it increases the entropy of the seeds it generates

@wyatt8740 Yes and this happened to be a bad idea :P

@saagar How was it a bad idea? It was a good idea; downstream idiots who didn't understand it purposefully broke the code thinking they were "fixing" it because they didn't understand the code and saw valgrind warn about it. That code is still in openssl.

@wyatt8740 Using uninitialized memory as entropy is generally a bad idea. It doesn’t really help and it breaks tools that you would generally want to use to find real bugs. The “fix” was incorrect, of course, but not idiotic. FWIW, the code is gone now: https://github.com/openssl/openssl/commit/75e2c877650444fb829547bdb58d46eb1297bc1a#diff-7540ce8fd73afa23b44db37b090c9aa47f5c361f8f2bb5508be45555e9a1f6bbL191

@saagar how does drbg do it? Also if you lack the ability to think critically about the warnings a program is giving you when programming in general I think you're sort of cruising for a bruising. Deep understanding is always better than "waving a chicken at it until the warnings go away," or trusting software to be infallible.