On Wednesday 07 May 2014 15:12:53 James wrote: > So please continue the "protage" thread discussion, but also a wider thread > concerning other source downloads. Afterall, *if" you can inject* into > sources, which are then compiled, who checks under the under_garments?
Ha! You need to go a few clicks back, or should I say under? What if the hash algo itself is borked and collisions are becoming accepted? What if the RNG you use on your PC is either backdoored by Intel (if hardware generated), or it has such a low entropy that it is trivial to crack its algorithmic derivatives. I was quite surprised to see that the random pool available on a laptop I was working on at the time, was exceedingly lower than the 4096 max entropy. Try this to see yours: cat /proc/sys/kernel/random/entropy_avail I now run sys-apps/haveged in the background, at least when I am generating ssl/gpg/ssh keys. > [1] > http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-r > epair-claims-creator-of-libressl-fork/ Useful to know someone is cleansing the code. Thanks for sharing! -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
