Package: kdebase Version: 4:3.4.2-1 Severity: important Tags: security I strenuously disagree with the upstream decision taken to point kdm at /dev/urandom instead of /dev/random for entropy.
Using /dev/urandom is fine for unserious application that need a source of (pseudo-)random numbers, such as games. Display managers like kdm and xdm do not read /dev/random for frivolous purposes, however -- they use it to get a seed for a session authorization key (in the case of xdm, for the XDM-AUTHORIZATION-1 protocol, and maybe MIT-MAGIC-COOKIE-1 as well). A few years ago someone (maybe it was me, I don't remember) wrote a patch to xdm that implements a "randomStream" resource -- older version of xdm, from which kdm was forked a long time ago, used "/dev/mem" as its entropy source, and as that file was not anywhere to close to entropic, the code would read 8MB of data and hash it. Reading 8MB from /dev/random is indeed stupid -- but reading that much data from /dev/urandom instead is not the right fix. The right fix is to read only the data you need from a known entropic source. In the case of xdm (and almost certainly kdm), that's just a few bytes. Reading the bits for the crypto key from /dev/urandom might be fine for distributions like Linspire that run the graphical desktop as root by default, but it's not for us. We should be as secure as we can reasonably be by default. Once #76336 was fixed, the complaints I was getting about xdm taking "forever" to start ceased. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=76336;archive=yes If you'd like to discuss this further, I suggest the debian-devel mailing list. It may be that most people disagree with me, though I hope not. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.9-powerpc-smp Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
