[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fix for no ssh

On Wed 10 Jul 2019 at 13:52:55 (-0000), Curt wrote:
> On 2019-07-10, Andy Smith <andy@strugglers.net> wrote:
> > Secondly, the reason I asked you what you would like done is that in
> > the message I replied to you said that the release notes were
> > something that users don't read. But your proposed solution is to
> > put more things in the release notes.
> I said users don't read the release notes? I don't remember saying that.
> I remember saying we can't assume or expect the "regular user" (for any
> arbitrary definition of that) is following the technical discussions of
> the development team. I do think, though, all users are responsible for
> reading the release notes. That's life in the big city, as Mom used to
> say. 

Perhaps it was easy to misread what you posted; would it be clearer to
rephrase it as "I think these reserves are relevant and pertinent to
the patch itself, and should be revealed in the Buster release-notes
for users who aren't following the technical discussions of the
development team".

But I also think you could withdraw your accusation of dishonesty on
the part of Debian, seeing that you (and others) aren't able to
express clearly what the problem is, what compromises have been made
in Debian's default method, and what the risks are with each of the
"solutions" proposed here and elsewhere.

> > As for the recommended way forward, I'm not sure that there is an
> > easy answer if RDRAND isn't an option. There are complex trade-offs
> > and I think it's probably right that users in this position read the
> > wiki page and work out what's best for them.
> >
> > I do note that for a person in your situation (real hardware [not a
> > virtual machine] with no RDRAND and no TPM), every listed solution
> > has at least one expert that says it is a very bad idea! I don't
> > think there is consensus here yet.
> >
> > In your position I think I'd probably hold my nose (as it says) and
> > use haveged.
> What about jiggling my mouse for a while?

I've seen this, and random typing, being advised as a solution. But
it's always struck me that the best source of randomness (usually)
available nowadays is a microphone.


Reply to: