Package: finish-install Version: 2.56 Severity: important Tags: security Control: found -1 2.81 Control: found -1 2.100 Control: found -1 2.101
finish-install creates a random seed in the location used by the
urandom init script from the initscripts package. On systemd based
systems, systemd-random-seed.service overrides the urandom init script
but uses a different location for its random seed file. Consequently on
first boot of systemd based systems there is no random seed file so the
amount of entropy available is lower.
/var/lib/urandom/random-seed
/var/lib/systemd/random-seed
I think finish-install needs to fix this with one of these options:
1. Write the random seed to both locations. This means that when
switching init systems you get the old random seed.
2. Write two different random seeds to the two locations. This means
that when switching init systems you get the a new random seed that
has never been used before, but which was generated during the
install.
3. Detect the chosen init system and write the random seed to the
location preferred by that init system. This means that when
switching init systems the first boot of the new init systems has no
random seed.
I think probably the second scenario is the best since then there is
always a random seed available even when switching init systems and
that random seed is never reused.
I think this issue should get fixed in stable/oldstable too.
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
