Am 10.01.19 um 15:51 schrieb Stefan Fritsch: > On Thu, 10 Jan 2019, Michael Biebl wrote: >>> ACK, we also had to do the same in Grml[.org] and our latest release >>> (2018.12). Now we automatically enable haveged when users boot using >>> the ssh boot option (which is something Grml specific, taking care >>> of setting user password and invoking the ssh service). >> >> And this is a perfect example why crediting the seed file (#914297) is >> not a solution to this problem. > > While I still think this case should be handled by documentation, let's > try to find a way forward that we can agree upon. > > I think the absolute minimum we need something that prints a big fat > warning during boot if the RNG is not yet initialized, points out that > further services may block and that the admin should add entropy sources > like virtio-rng or rdrand. The time when this warning should be printed > should probably be before network is started, because if the admin has > configured vpn services in /etc/network/interfaces, those will already > block because of lack of entropy. > > A second thing we need is a service that finishes when the RNG is > initialized and that has a suitable large timeout for starting (maybe one > day?). Services that need randomness can then depend on that service and > don't need to set their own timeout to huge values. Also it is a lot > easier to see what's wrong if the "wait for RNG" service is blocking than > if some random network service is blocking. > > More things should be done but maybe we can figure those out while we > implement the above two things. Can we agree on this? >
I'd prefer having this documented in the release notes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916690 with possible solutions like installing haveged, configuring virtio-rng, etc. depending on the situation. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
