[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Handling of entropy during boot

On Wed, 2019-01-09 at 11:40 -0500, Theodore Y. Ts'o wrote:
> On Wed, Jan 09, 2019 at 09:58:22AM +0100, Stefan Fritsch wrote:
> > No, that's utterly wrong. If it's a hassle to use good entropy, people 
> > will use gettimeofday() for getting "entropy" and they will use it for 
> > security relevant purposes. In this way, you would achieve exactly the 
> > opposite of what you want.
> If *users* do this, then if they end up releasing credit card numbers
> or PII or violate their customers privacy which brings the EU's GDPR
> enforcers down on then, it's on *their* heads.  If *Debian* makes a
> local Debian-specific change which causes these really bad outcomes,
> then it's on *ours*.
> We've tried to do this ten years ago, when well-meaning Debian
> Developers tried to "fix" OpenSSL's random number library, and it
> turned out to be a disaster[1].  So let's be careful and to replicate
> past mistakes, eh?

It's a bit late for that:

> Sure, this is why developers need to investigate the bugs.  You said
> you provided links, but I couldn't find any in your e-mail messages or
> earlier ones on this thread.  Perhaps I missed them; in which case, my
> apologies.   Can you please send/resend those links?

I sent you a bunch of bug links in message
<ac7d151dc705356ac32c1dfe2bcb6472084e0eac.camel@decadent.org.uk> in


Ben Hutchings
Every program is either trivial or else contains at least one bug

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: