Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
On Wed, 2014-07-16 at 19:54:38 +0100, Steven Chamberlain wrote:
> The other major concern was about scary entropy-gathering code,
> implemented in LibreSSL Portable for Linux as a last resort for when
> /dev/urandom can't be read. I agree that it's too risky, or: too
> difficult to prove safe and robust in any conceivable situation.
> Debian's major OpenSSL bug was able to happen undetected for a while out
> of similar circumstances.
> A compile-time ifdef already allows to disable this fallback code and
> raise SIGKILL instead, crashing the calling process. As part of the
> LibreSSL port to GNU/kFreeBSD and Hurd I would actually have asked that
> we do this anyway in Debian, at least for those platforms.
kFreeBSD does have a supported sysctl for this: CTL_KERN KERN_ARND.
(As does NetBSD which has two, KERN_URND and KERN_ARND.)