Hi, The reasoning to not have it enabled was the mimimal set of services running to reduce security attack surface and to enhance startup time. We reviewed haveged for SLE 11, from a integrity security side it is ok. We reviewed the randomness it generates briefly (!) and found no issues. However ... the sheer amount of randomness it claims to generate feels a bit too good to be true to me. It insanity rating is similar to using /dev/urandom, refering to a previous comment. That said, we are fine with enabling it if people consider it necessary. Ciao, Marcus On Sun, Jul 24, 2011 at 03:34:23PM -0400, Jeff Mahoney wrote:
Haveged has actually become higher priority with 12.1. I was advocating enabling it by default so I'm surprised to see that development has gone the opposite way.
In releases prior to 12.1, drivers for popular network devices contributed to the entropy pool. Those patches weren't getting much traction upstream so we dropped them in the 12.1 kernel. The entropy pool will not be replenished as quickly on 12.1 naturally so haveged being enabled by default would be a good idea.
-Jeff
-- Jeff Mahoney (apologies for the top post -- from my mobile)
On Jul 24, 2011, at 11:02 AM, Lars Müller <lmuelle@suse.de> wrote:
On Sun, Jul 24, 2011 at 03:19:47PM +0100, Olipro wrote:
I see someone else made a post back in May about this and I was wondering if anything came of it since; This daemon is sadly disabled by default in 11.4 which results in /dev/random having very little available entropy at all and thus anything that uses /dev/random for key generation will tend to stall for inordinate amounts of time, especially on systems that are only running from the commandline, for example, I have occasionally seen DNSSEC tutorials for openSUSE which use /dev/urandom - something that I think is just insane, but most likely a result of nothing being available to fill the entropy pool.
See https://bugzilla.novell.com/show_bug.cgi?id=675841 which was refereced by the haveged package change log.
- avoid unnecessary services. bnc#675841 also the start should be mediated by YaST or kiwi depending on presence of a virtualization environment, not by the package itself.
Would it enhance the result if the installer suggest to enable haveged if we decide to operate in runlevel 3?
The amount of black magic in changing defaults in the background without notifying the user must kept as minimal as possible.
Please drive this via bugzilla to make references in the package change log to the bug IDs possible. In bugzilla you're able to place a pointer to the archive of this mailing list thread http://lists.opensuse.org/opensuse-factory/2011-07/msg00378.html
Lars
Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg) Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org