On Wed, 2014-07-16 at 12:47 -0700, Russ Allbery wrote: > Steven Chamberlain <ste...@pyro.eu.org> writes: [...] > > It seems extreme, but the point is that something must be wrong on the > > system if we get to the fallback code - /dev/urandom missing from a > > chroot, or fd's exhausted, and the kernel not having a reliable sysctl > > interface like OpenBSD's to get random bytes in the first place. > > It would be nice to have a reliable kernel interface for getting > randomness rather than relying on proper chroot configuration.
There is such an interface. It happens to be a char device. Expecting administrators to create /dev/urandom in a chroot is no more unreasonable than expecting them to create /dev/null or /dev/zero. > I'm not > sure sysctl should be that mechanism, but I'm quite sympathetic to the > LibreSSL developers here. Relying on a device being present in a chroot > seems rather dubious. Less so than blundering on without entropy. Ben. -- Ben Hutchings Hoare's Law of Large Problems: Inside every large problem is a small problem struggling to get out.
signature.asc
Description: This is a digitally signed message part