[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL

On Wed, 2014-07-16 at 12:47 -0700, Russ Allbery wrote:
> Steven Chamberlain <steven@pyro.eu.org> writes:
> > It seems extreme, but the point is that something must be wrong on the
> > system if we get to the fallback code - /dev/urandom missing from a
> > chroot, or fd's exhausted, and the kernel not having a reliable sysctl
> > interface like OpenBSD's to get random bytes in the first place.
> It would be nice to have a reliable kernel interface for getting
> randomness rather than relying on proper chroot configuration.

There is such an interface.  It happens to be a char device.  Expecting
administrators to create /dev/urandom in a chroot is no more
unreasonable than expecting them to create /dev/null or /dev/zero.

> I'm not
> sure sysctl should be that mechanism, but I'm quite sympathetic to the
> LibreSSL developers here.  Relying on a device being present in a chroot
> seems rather dubious.

Less so than blundering on without entropy.


Ben Hutchings
Hoare's Law of Large Problems:
        Inside every large problem is a small problem struggling to get out.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: