On 07/27/2011 11:16 AM, Olipro wrote:
On Wednesday 27 Jul 2011 08:28:44 Stephan Kulow wrote:
Am Dienstag, 26. Juli 2011 schrieb Marcus Meissner:
Hi,
The reasoning to not have it enabled was the mimimal set of services running to reduce security attack surface and to enhance startup time.
We reviewed haveged for SLE 11, from a integrity security side it is ok.
We reviewed the randomness it generates briefly (!) and found no issues.
However ... the sheer amount of randomness it claims to generate feels a bit too good to be true to me.
It insanity rating is similar to using /dev/urandom, refering to a previous comment.
That said, we are fine with enabling it if people consider it necessary.
I think we can easily install it by default and if someone writes a yast agent to enable it for runlevel 3 installations, I'm fine with that too. But I don't want an extra daemon running on default installs that usually don't need it - and those that do need it, can easily enable it.
Greetings, Stephan
The problem is largely that those that *do* need it probably don't actually know they need it. So if you don't want it running on default installs, rather than just blanket turning it off, do something intelligent to determine whether it should be enabled or not.
How many people do you think are aware of things like the kernel's entropy pool etcetera? my bet is that the correct answer is "very few" given so many people are swapping random with urandom.
One of the other reason to have it enabled early in the installation process or just before you start configuring things is : ssl key generation think about vpn server, dns, ldap, CA, ssh keys, ssl/tls vhosts, databases tls connexion and will become more and more used : dns signing zone DNSSEC Yeap typically not a workstation usage, but pretty much all server pattern should have it. No ? -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Ambassador GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org