I just noticed that dhclient's randomness package uses, among other things, a variety of system commands (ps, netstat, etc) to harvest entropy. Unfortunately, dhclient is used in many situations where these commands are not available: sysinstall floppy, diskless client, /rescue, etc.
The obvious fix would alter dhclient to rely only on /dev/random for entropy. (It seems this code is common to bind as well.) Policy Question: is a fast, high-quality /dev/random a gauranteed feature starting with 5.0? Technical Question: is /dev/random sufficient for the cryptographic requirements of programs like dhclient, bind, etc? I believe both of these are answered 'yes'. If so, I'll work up a patch to alter these programs to rely solely on /dev/random. I suppose that patch should be sent to the ISC folks, since those programs are vendor imports. (?) (I'm envisioning a FAST_GOOD_DEV_RANDOM compile-time switch; if set, /dev/random would be the only source of entropy used.) Any pointers/suggestions appreciated, Tim Kientzle To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message