I stopped reading these 'cypherpunk'-epilog lists a few years back. I'm still subscribed because of cross-postings. The amount of tinfoil-hattery is just unsustainable. And there's barely any interesting information for people working on real cryptography-, systems or engineering.
Users of languages can't be expected to. Therefore the language designers and maintainers themselves, especially if they're working on the stdlib, should do so, IMO. It's not only education for a proficient programmer, it helps to understand the underlying system you're building on and it's security assumptions.
The random char device code isn't that hard to understand, and if you're not a strong C programmer (the Ruby-core people are good C programmers, I suppose) - there's a paper explaining how it works: https://eprint.iacr.org/2012/251.pdf
Some of this is certainly my own fault (context: I'm the rude guy in the thread). There were two comments made by myself that were considered "rude": one early on, where I actually didn't even mean to be. And my last reply was bascially a rage-quit.
But I put all relevant information, academic and engineering-wise in the thread to try to convince Ruby-core to change their opinion. I replied to false assumptions and comments as best as I could.
I'm also only a human and since this bug has been open for 2 years, I've used SecureRandom extensively in the past, this was a very frustrating experience for myself and all the commenters involved. I certainly do not have the most "diplomatic" approach (as a friend put it). I know that. But I'm not really sorry about that either, it's just who I am. I'm a nice guy IRL people tell me, but I can get obnoxious when people don't listen to severe security issues and always refer to upstream, have been so in quite a few projects and standards processes.
Every interaction I've had with the Ruby core team has involved rudeness on their part.
I understand that Japanese culture is really different and that as a country they've really had horrible things done to them over the last hundred years that are inexcusable to say the absolute very least.
But just like any country, there are people with great people skills and people with no people skills. The Ruby core team lacks people skills. Whether it is a result of cultural problems that are a result of terrible things happening there, I can't say, but it really does Ruby a disservice.
All they need to do is listen and consider, but they don't, really.
I don't think it's a culture thing at all. Japanese people are usually extremely polite and sincere. I also don't think this has anything to do with their history.
If you look at replies I got from Ruby-core: some people would consider them to be rude as well; I'm constantly told I do not understand what I'm doing, and I've been in engineering for more than 12 years, into crypto for more than five (and been reading cypherpunk lists since I was 15). I'm certainly not an academic cryptographer nor among the best engineers in the field, but I think I know a fair bit about the topic by now. I've contributed to many security projects, academic publications and standards processes -- this was certainly among the worst experiences I've had so far (you'd think IETF is worse, no. heated discussions all the time, but people stay focused and technical, listen to comments made by domain experts et cetera and act on them).
The Ruby community even has their own acronym for being nice to other developers: MINASWAN (https://en.wikipedia.org/wiki/Yukihiro_Matsumoto). I'm puzzled by the outcome of this discussion, but am assured by other security engineers and cryptographers that bugs they opened were treated equally badly, often ignored, even if they were non-disclosed, heavy security issues.
No idea. I'm not part of Ruby-core, neither Japanese. In my travels I've encountered many cultures and peoples, Japanese are amongst the most polite and friendly people I've met. Often very shy in that regard, like many asians (this is indeed a culture thing & certainly not a bad one).
Some are xenophobic, but I wouldn't say that they all are, that's just false, I've met so many open-minded Japanese that I'd never generalise in that regard.
>I'm puzzled by the outcome of this discussion, but am assured by other security engineers and cryptographers that bugs they opened were treated equally badly, often ignored, even if they were non-disclosed, heavy security issues.
If you have organization with strict good manners policy and problems arise, this kind of passive-aggressive behavior is exactly what you should expect. "company policy" and PC rules can't make people better persons.
NOTE: This is not my opinion about Ruby-core team. I just want to point out that being polite does not mean that you interact well with others.
Insofar as Japanese culture has anything to do with the way these people replied to you, I suspect that it might be a combination of (1) deference to authority and (2) relative isolation from the Western CS scene.
Absolute deference to man pages and insistence on getting things fixed upstream are textbook examples of, well, following the textbook. And they won't accept blog posts and presentations as authoritative because they are not familiar with the authors and presenters. Had they been even a casual reader of HN, they wouldn't dismiss names like tptacek so easily. They simply have no idea who the heck he is, so they stick to TFM as they were taught to do.
So it's neither malice nor xenophobia. I think they're just following rules, and maybe a little annoyed that everyone is telling them to ignore their rules.
You'll see a lot of assignee's done to matz, nobu, koichi etc... I mean they don't have 50 arms each and infinite time so they have to prioritize on what they work.
"Some are xenophobic"
That is so totally rubbish.
Just go to the japanese bboy scene. They are not xenophobic AT ALL.
I'd usually not even consider replying to such a post as you clearly have neither read nor tried to understand my comment.
I replied to a post made above, and expressed deepest sympathy for the Japanese people. While I was born in central Europe, I'd rather not be a citizen of any nation. I spend more time abroad than in the country I was born in. Speaking of which: central Europe currently has a huge resurgence of facist ideologies and xenophobia due to migrants from war-torn countries. Something which is utterly inconceivable to most people able to read a history book, given Europe's not so distant past with genocide. Unfortunately, xenophobia and right-wing sentiment is something that every democracy and thus nation faces, Japan isn't exempt from that [0] [1] [2].
(I currently live in Asia and spend a lot of time in Arabic countries, you may reconsider educating me on the subject with references to the bboy scene.)
Yea, I always liked Ruby's implicitness and style of writing code. For crypto I'd prefer to use Sage or Python's cryptography.io framework (a lot of other good options for performance critical code of course).
There hasn't been a lot of progress there but Certificate Transparency is of course a new player that might change how revocation works for different systems as well.
edit:
Running a CA is a full-time job that requires financial backing, gear, well-trained operational staff and a lot of policies to operate in a reasonable and safe way. I'm happy that Let's Encrypt take their time to get everything in place and do not rush General Availability, BTW. I could not find /any/ information on SPI's CA on the web. I have no idea who or how they currently operate their CA. Their Website has a horrible and real-world vulnerable HTTPS set-up. I imagine their CA might also have aged a bit.
