On Lu, 08 iul 19, 09:01:36, Curt wrote: > On 2019-07-08, Andrei POPESCU <andreimpopescu@gmail.com> wrote: > > > >> Wow. Another reason to love systemd :-( > > > > Not clear to me why you are blaming systemd here. > > Because systemd is to blame (at least in the opinion of some people in the > know, like Stefan Frisch, for instance): > > https://qa.debian.org/developer.php?login=sf@debian.org > > https://lists.debian.org/debian-devel/2018/12/msg00184.html > > ... > > The problem is that systemd (and probably /etc/init.d/urandom, too) does not set > the flag that allows the kernel to credit the randomness and so the kernel does > not know about the entropy contained in that file. Systemd upstream argues that > this is supposed to protect against the same OS image being used many times > [3]. (More links to more discussion can be found at [4]). > > But an identical OS image needs to be modified anyway in order to be secure > (re-create ssh host keys, change root password, re-create ssl-cert's private > keys, etc.). Injecting some entropy in some way is just another task that > needs to be done for that use case. So basically the current implementation > of systemd-random-seed.service breaks stuff for everyone while not fixing the > thing they are claiming to fix. Oh, right. Read this before, but forgot about it. Even if the upstream systemd developers are right (and I don't have anywhere near the expertise to judge on that), they could have handled it better. The timing was also not very good for the buster release cycle. Hopefully this will be sorted out properly in time for bullseye. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature