Github user aledsage commented on the pull request:
https://github.com/apache/incubator-brooklyn/pull/117#issuecomment-52950989
All very interesting! I think we need a security expert!
http://www.2uo.de/myths-about-urandom/ quotes folk like
http://en.wikipedia.org/wiki/Daniel_J._Bernstein to suggest that urandom is not
that bad (usually).
What we would want to check though is the case where the randomness pool
has never been initialized (e.g. by checking `cat
/proc/sys/kernel/random/entropy_avail`).
I like the idea of using `haveged` to add some additional entropy so that
CSPRNG re-seeds, but using `/dev/urandom` seems not too bad.
I want a real security expert to answer this question though, and until
then we must play it safe (i.e. stick with /dev/random as the default).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
