On Wednesday 27 Jul 2011 08:28:44 Stephan Kulow wrote:
Am Dienstag, 26. Juli 2011 schrieb Marcus Meissner:
Hi,
The reasoning to not have it enabled was the mimimal set of services running to reduce security attack surface and to enhance startup time.
We reviewed haveged for SLE 11, from a integrity security side it is ok.
We reviewed the randomness it generates briefly (!) and found no issues.
However ... the sheer amount of randomness it claims to generate feels a bit too good to be true to me.
It insanity rating is similar to using /dev/urandom, refering to a previous comment.
That said, we are fine with enabling it if people consider it necessary.
I think we can easily install it by default and if someone writes a yast agent to enable it for runlevel 3 installations, I'm fine with that too. But I don't want an extra daemon running on default installs that usually don't need it - and those that do need it, can easily enable it.
Greetings, Stephan
The problem is largely that those that *do* need it probably don't actually know they need it. So if you don't want it running on default installs, rather than just blanket turning it off, do something intelligent to determine whether it should be enabled or not. How many people do you think are aware of things like the kernel's entropy pool etcetera? my bet is that the correct answer is "very few" given so many people are swapping random with urandom. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org