On Wed 10 Jul 2019 at 13:52:55 (-0000), Curt wrote: > On 2019-07-10, Andy Smith <a...@strugglers.net> wrote: > > > Secondly, the reason I asked you what you would like done is that in > > the message I replied to you said that the release notes were > > something that users don't read. But your proposed solution is to > > put more things in the release notes. > > I said users don't read the release notes? I don't remember saying that. > I remember saying we can't assume or expect the "regular user" (for any > arbitrary definition of that) is following the technical discussions of > the development team. I do think, though, all users are responsible for > reading the release notes. That's life in the big city, as Mom used to > say.
Perhaps it was easy to misread what you posted; would it be clearer to rephrase it as "I think these reserves are relevant and pertinent to the patch itself, and should be revealed in the Buster release-notes for users who aren't following the technical discussions of the development team". But I also think you could withdraw your accusation of dishonesty on the part of Debian, seeing that you (and others) aren't able to express clearly what the problem is, what compromises have been made in Debian's default method, and what the risks are with each of the "solutions" proposed here and elsewhere. > > As for the recommended way forward, I'm not sure that there is an > > easy answer if RDRAND isn't an option. There are complex trade-offs > > and I think it's probably right that users in this position read the > > wiki page and work out what's best for them. > > > > I do note that for a person in your situation (real hardware [not a > > virtual machine] with no RDRAND and no TPM), every listed solution > > has at least one expert that says it is a very bad idea! I don't > > think there is consensus here yet. > > > > In your position I think I'd probably hold my nose (as it says) and > > use haveged. > > What about jiggling my mouse for a while? I've seen this, and random typing, being advised as a solution. But it's always struck me that the best source of randomness (usually) available nowadays is a microphone. Cheers, David.
