On 2019-07-08, Andrei POPESCU <andreimpope...@gmail.com> wrote: > >> Wow. Another reason to love systemd :-( > > Not clear to me why you are blaming systemd here. >
Because systemd is to blame (at least in the opinion of some people in the know, like Stefan Frisch, for instance): https://qa.debian.org/developer.php?login=s...@debian.org https://lists.debian.org/debian-devel/2018/12/msg00184.html ... The systemd maintainers argue that individual services should handle this problem [1,2]. But this does not scale and the whole point of the getrandom() syscall is that it cannot fail and that its users do not need fallback code that is not well-tested and probably buggy. [5] > In my understanding what sysv-init does (crediting entropy over reboots) > is not secure for various reasons. ... The problem is that systemd (and probably /etc/init.d/urandom, too) does not set the flag that allows the kernel to credit the randomness and so the kernel does not know about the entropy contained in that file. Systemd upstream argues that this is supposed to protect against the same OS image being used many times [3]. (More links to more discussion can be found at [4]). But an identical OS image needs to be modified anyway in order to be secure (re-create ssh host keys, change root password, re-create ssl-cert's private keys, etc.). Injecting some entropy in some way is just another task that needs to be done for that use case. So basically the current implementation of systemd-random-seed.service breaks stuff for everyone while not fixing the thing they are claiming to fix. >> Another reason to perform fresh installs rather than upgrades whenever >> possible. > > How is that supposed to help? > > Kind regards, > Andrei -- "These findings demonstrate that under appropriate conditions the isolated, intact large mammalian brain possesses an underappreciated capacity for restoration of microcirculation and molecular and cellular activity after a prolonged post-mortem interval." From a recent article in *Nature*. Holy shit.