On Sat, Sep 28, 2019 at 05:20:47PM +0800, Paul Wise wrote: >Package: finish-install >Version: 2.56 >Severity: important >Tags: security >Control: found -1 2.81 >Control: found -1 2.100 >Control: found -1 2.101 > >finish-install creates a random seed in the location used by the >urandom init script from the initscripts package. On systemd based >systems, systemd-random-seed.service overrides the urandom init script >but uses a different location for its random seed file. Consequently on >first boot of systemd based systems there is no random seed file so the >amount of entropy available is lower. > >/var/lib/urandom/random-seed >/var/lib/systemd/random-seed > >I think finish-install needs to fix this with one of these options: > > 1. Write the random seed to both locations. This means that when > switching init systems you get the old random seed. > 2. Write two different random seeds to the two locations. This means > that when switching init systems you get the a new random seed that > has never been used before, but which was generated during the > install. > 3. Detect the chosen init system and write the random seed to the > location preferred by that init system. This means that when > switching init systems the first boot of the new init systems has no > random seed. > >I think probably the second scenario is the best since then there is >always a random seed available even when switching init systems and >that random seed is never reused.
Wouldn't it just be easier to write it one location and replace the other with a symlink to it? -- Steve McIntyre, Cambridge, UK. st...@einval.com < sladen> I actually stayed in a hotel and arrived to find a post-it note stuck to the mini-bar saying "Paul: This fridge and fittings are the correct way around and do not need altering"