On Wed, 2019-01-09 at 11:40 -0500, Theodore Y. Ts'o wrote: > On Wed, Jan 09, 2019 at 09:58:22AM +0100, Stefan Fritsch wrote: [...] > > No, that's utterly wrong. If it's a hassle to use good entropy, people > > will use gettimeofday() for getting "entropy" and they will use it for > > security relevant purposes. In this way, you would achieve exactly the > > opposite of what you want. > > If *users* do this, then if they end up releasing credit card numbers > or PII or violate their customers privacy which brings the EU's GDPR > enforcers down on then, it's on *their* heads. If *Debian* makes a > local Debian-specific change which causes these really bad outcomes, > then it's on *ours*. > > We've tried to do this ten years ago, when well-meaning Debian > Developers tried to "fix" OpenSSL's random number library, and it > turned out to be a disaster[1]. So let's be careful and to replicate > past mistakes, eh?
It's a bit late for that: https://lists.debian.org/debian-release/2018/05/msg00130.html [...] > Sure, this is why developers need to investigate the bugs. You said > you provided links, but I couldn't find any in your e-mail messages or > earlier ones on this thread. Perhaps I missed them; in which case, my > apologies. Can you please send/resend those links? [...] I sent you a bunch of bug links in message <ac7d151dc705356ac32c1dfe2bcb6472084e0eac.ca...@decadent.org.uk> in August. Ben. -- Ben Hutchings Every program is either trivial or else contains at least one bug
signature.asc
Description: This is a digitally signed message part
