Package: calamares Version: 3.2.4-3 Severity: important Tags: security X-Debbugs-CC: debian-live@lists.debian.org
Calamares does not create a random seed in the location used by either
the urandom init script from the initscripts package nor the systemd
equivalent systemd-random-seed service. Calamares copies the contents
of the squashfs image (which has no random seed file) rather than
copying the live system (which has a random seed file), consequently on
first boot of Calamares installed systems there is no random seed file
so the amount of entropy available is lower.
/var/lib/urandom/random-seed
/var/lib/systemd/random-seed
I think Calamares needs to fix this by writing two different random
seeds to these two locations. This means that when switching init
systems you get a new random seed that has never been used before, but
which was generated during the install.
I'm not sure if the locations should be configured by the package
calamares-settings-debian or hardcoded upstream or something else.
This is the code that the Debian installer uses to save a random seed:
# If possible, save a random seed so that the installed system has better
# entropy on first boot. Based on /etc/init.d/urandom in initscripts.
if [ -c /dev/urandom ] && [ -d /target/var/lib/urandom ]; then
if ! POOLBYTES=$((
($(cat /proc/sys/kernel/random/poolsize 2>/dev/null) + 7) / 8
)); then
POOLBYTES=512
fi
umask 077
dd if=/dev/urandom of=/target/var/lib/urandom/random-seed \
bs="$POOLBYTES" count=1 >/dev/null 2>&1
fi
I think this issue should get fixed in unstable and stable too.
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
