On Mon, 17 Dec 2018, Michael Biebl wrote: > Am 17.12.18 um 13:52 schrieb Stefan Fritsch: > > On Mon, 17 Dec 2018, Michael Biebl wrote: > >>> It turns out there was a similar bug against openssh which was closed as > >>> wontfix [1]. I don't see how apache can do anything about this, either. > >> > >> There is. Don't request high-quality randomness during boot unless you > >> explicitly need it. > > > > That's utterly wrong. We do crypto and need high-quality randomness. There > > can be no discussion about this. The system needs to make sure that we > > have entropy when we start network daeamons. > > You can't generate entropy out of thin air unfortunately.
But we have good entropy on disk. And it's in the kernel. We just need to tell the kernel. > > > The whole point of the getrandom() interface is that it cannot fail and > > that its users don't need potentially buggy fallback code. If you break > > that assumption, you will introduce security issues in the network daemons > > that use weak entropy just in order to not block. > > What I was suggesting is that you don't use getrandom() for places where > you don't need it. > Anyway, your anger should not be directed at systemd here. > It's the wrong recipient. No, it isn't.