On Mon, 17 Dec 2018, Michael Biebl wrote: > > Well, this problem is much more widespread (in terms of software that > > requests entropy needlessly) than you might think. If you override the > > unit for something as deterministic as systemd-tmpfiles-setup.service > > to run it under strace and log the result, you'll see numerous calls > > to getrandom(). > > Incidentally there is > https://github.com/systemd/systemd/commit/abdcb688a8a82807cb5f864babdba91c859ac5f8 > > This patch is not yet in the Debian package. > > I'm well aware that this potentially affects quite a lot of packages, > but I can only repeat that systemd-random-seed is not the answer here. > > I fear that indeed the only option is to review each and every service > during boot which requests randomness, unless the change in > openssl/kernel is reverted.
No, that's wrong. This will introduce security issues in those services. > I don't think making haveged essential would make sense, as this problem > manifests typically in containerized or virtualized environments. > For the later, if using KVM, the best option afaik is to use virtio-rng. > > And yes, at this point I think the only solution is to document this in > the release notes. No. This needs discussion on debian-devel, or if there is no consensous, the technical committe.
