Web lists-archives.com

Re: Handling of entropy during boot




On Wed, 2019-01-09 at 11:40 -0500, Theodore Y. Ts'o wrote:
> On Wed, Jan 09, 2019 at 09:58:22AM +0100, Stefan Fritsch wrote:
[...]
> > No, that's utterly wrong. If it's a hassle to use good entropy, people 
> > will use gettimeofday() for getting "entropy" and they will use it for 
> > security relevant purposes. In this way, you would achieve exactly the 
> > opposite of what you want.
> 
> If *users* do this, then if they end up releasing credit card numbers
> or PII or violate their customers privacy which brings the EU's GDPR
> enforcers down on then, it's on *their* heads.  If *Debian* makes a
> local Debian-specific change which causes these really bad outcomes,
> then it's on *ours*.
> 
> We've tried to do this ten years ago, when well-meaning Debian
> Developers tried to "fix" OpenSSL's random number library, and it
> turned out to be a disaster[1].  So let's be careful and to replicate
> past mistakes, eh?

It's a bit late for that:
https://lists.debian.org/debian-release/2018/05/msg00130.html

[...]
> Sure, this is why developers need to investigate the bugs.  You said
> you provided links, but I couldn't find any in your e-mail messages or
> earlier ones on this thread.  Perhaps I missed them; in which case, my
> apologies.   Can you please send/resend those links?
[...]

I sent you a bunch of bug links in message
<ac7d151dc705356ac32c1dfe2bcb6472084e0eac.camel@xxxxxxxxxxxxxxx> in
August.

Ben.

-- 
Ben Hutchings
Every program is either trivial or else contains at least one bug

Attachment: signature.asc
Description: This is a digitally signed message part