Mailinglist Archive: opensuse-factory (505 mails)

[Jeff Mahoney <jeffm@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/2011 08:34 AM, Marcus Meissner wrote:
> Hi,
>
> The reasoning to not have it enabled was the mimimal set of services 
> running to reduce security attack surface and to enhance startup
> time.
>
>
> We reviewed haveged for SLE 11, from a integrity security side it is
> ok.
>
> We reviewed the randomness it generates briefly (!) and found no
> issues.
>
> However ... the sheer amount of randomness it claims to generate 
> feels a bit too good to be true to me.
>
> It insanity rating is similar to using /dev/urandom, refering to a
> previous comment.
>
> That said, we are fine with enabling it if people consider it
> necessary.

Hrm, if the quality is indistinguishable from /dev/urandom, why wouldn't
we just pump from /dev/urandom when /dev/random runs out?

- -Jeff



> Ciao, Marcus
>
>
> On Sun, Jul 24, 2011 at 03:34:23PM -0400, Jeff Mahoney wrote:
> > Haveged has actually become higher priority with 12.1. I was
> > advocating enabling it by default so I'm surprised to see that
> > development has gone the opposite way.
> >
> > In releases prior to 12.1, drivers for popular network devices
> > contributed to the entropy pool. Those patches weren't getting much
> > traction upstream so we dropped them in the 12.1 kernel. The
> > entropy pool will not be replenished as quickly on 12.1 naturally
> > so haveged being enabled by default would be a good idea.
> >
> > -Jeff
> >
> > -- Jeff Mahoney (apologies for the top post -- from my mobile)
> >
> > On Jul 24, 2011, at 11:02 AM, Lars Müller <lmuelle@xxxxxxx> wrote:
> >
> > > On Sun, Jul 24, 2011 at 03:19:47PM +0100, Olipro wrote:
> > > > I see someone else made a post back in May about this and I was
> > > > wondering if anything came of it since; This daemon is sadly
> > > > disabled by default in 11.4 which results in /dev/random having
> > > > very little available entropy at all and thus anything that
> > > > uses /dev/random for key generation will tend to stall for 
> > > > inordinate amounts of time, especially on systems that are only
> > > > running from the commandline, for example, I have occasionally
> > > > seen DNSSEC tutorials for openSUSE which use /dev/urandom -
> > > > something that I think is just insane, but most likely a result
> > > > of nothing being available to fill the entropy pool.
> > >
> > > See https://bugzilla.novell.com/show_bug.cgi?id=675841 which was 
> > > refereced by the haveged package change log.
> > >
> > > - avoid unnecessary services. bnc#675841 also the start should be
> > > mediated by YaST or kiwi depending on presence of a
> > > virtualization environment, not by the package itself.
> > >
> > > Would it enhance the result if the installer suggest to enable
> > > haveged if we decide to operate in runlevel 3?
> > >
> > > The amount of black magic in changing defaults in the background
> > > without notifying the user must kept as minimal as possible.
> > >
> > > Please drive this via bugzilla to make references in the package
> > > change log to the bug IDs possible.  In bugzilla you're able to
> > > place a pointer to the archive of this mailing list thread 
> > > http://lists.opensuse.org/opensuse-factory/2011-07/msg00378.html
> > >
> > > Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux,
> > > Maxfeldstraße 5, 90409 Nürnberg, Germany
> > -- To unsubscribe, e-mail:
> > opensuse-factory+unsubscribe@xxxxxxxxxxxx For additional commands,
> > e-mail: opensuse-factory+help@xxxxxxxxxxxx


- -- 
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4uwqUACgkQLPWxlyuTD7JijQCeNBSWbOfoSA6V18+QZvlKSJps
NO0An0isOguoMG4oxTM6DM5AWTTXjD1g
=FRUL
-----END PGP SIGNATURE-----
-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx