I stumbled over a library which has switched to using RDRAND in a new upsteam version (not yet packaged), instead of /dev/urandom. I don't have a stong opinion on the security of RDRAND, which is a contentious topic in a domain I am not expert in. However, I would much rather rely on linux developers to make the right decision on that, rather than libraries deciding on an ad-hoc basis. Especially because the kernel has a wider spectrum of choices than use/avoid (IIRC it currently mixes in RDRAND with other entropy sources.) Perhaps we should avoid libraries in Debian using RDRAND directly, if the library has uses related to security. (Maybe some game or simulation library would have a good reason to use it.) Would it make sense to scan for the opcode? -- see shy jo  More accurately, uses it when runtime probing detects the chip supports it.
Description: Digital signature