-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/26/2011 08:34 AM, Marcus Meissner wrote:
Hi,
The reasoning to not have it enabled was the mimimal set of services running to reduce security attack surface and to enhance startup time.
We reviewed haveged for SLE 11, from a integrity security side it is ok.
We reviewed the randomness it generates briefly (!) and found no issues.
However ... the sheer amount of randomness it claims to generate feels a bit too good to be true to me.
It insanity rating is similar to using /dev/urandom, refering to a previous comment.
That said, we are fine with enabling it if people consider it necessary.
Hrm, if the quality is indistinguishable from /dev/urandom, why wouldn't we just pump from /dev/urandom when /dev/random runs out? - -Jeff
Ciao, Marcus
On Sun, Jul 24, 2011 at 03:34:23PM -0400, Jeff Mahoney wrote:
Haveged has actually become higher priority with 12.1. I was advocating enabling it by default so I'm surprised to see that development has gone the opposite way.
In releases prior to 12.1, drivers for popular network devices contributed to the entropy pool. Those patches weren't getting much traction upstream so we dropped them in the 12.1 kernel. The entropy pool will not be replenished as quickly on 12.1 naturally so haveged being enabled by default would be a good idea.
-Jeff
-- Jeff Mahoney (apologies for the top post -- from my mobile)
On Jul 24, 2011, at 11:02 AM, Lars Müller
wrote: On Sun, Jul 24, 2011 at 03:19:47PM +0100, Olipro wrote:
I see someone else made a post back in May about this and I was wondering if anything came of it since; This daemon is sadly disabled by default in 11.4 which results in /dev/random having very little available entropy at all and thus anything that uses /dev/random for key generation will tend to stall for inordinate amounts of time, especially on systems that are only running from the commandline, for example, I have occasionally seen DNSSEC tutorials for openSUSE which use /dev/urandom - something that I think is just insane, but most likely a result of nothing being available to fill the entropy pool.
See https://bugzilla.novell.com/show_bug.cgi?id=675841 which was refereced by the haveged package change log.
- avoid unnecessary services. bnc#675841 also the start should be mediated by YaST or kiwi depending on presence of a virtualization environment, not by the package itself.
Would it enhance the result if the installer suggest to enable haveged if we decide to operate in runlevel 3?
The amount of black magic in changing defaults in the background without notifying the user must kept as minimal as possible.
Please drive this via bugzilla to make references in the package change log to the bug IDs possible. In bugzilla you're able to place a pointer to the archive of this mailing list thread http://lists.opensuse.org/opensuse-factory/2011-07/msg00378.html
Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
- -- Jeff Mahoney SUSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4uwqUACgkQLPWxlyuTD7JijQCeNBSWbOfoSA6V18+QZvlKSJps NO0An0isOguoMG4oxTM6DM5AWTTXjD1g =FRUL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org