On Sat, Jul 09, 2016 at 04:39:02PM +0200, David Craven wrote: > Yeah, I should have better said I don't know instead of talking out of my ass.
That's harsh! I'm not an expert either, but I have begun trying to understand the assumptions that programs like SSH daemons make in their security model. In some cases, they assume that /dev/urandom has been properly seeded, which it typically is not after first boot. > All I can really do is trust that the people who write security > related code know what they are doing. Right, but like I said above, we must make an effort to know the assumptions they are making about the system. > Is there anything else holding this up? I'm not the best person to review new services — they are still a little over my head. At least, I should not be the sole reviewer. In the meantime, can you provide an OS declaration (config.scm) that makes use of dropbear-service so we can easily test it? I'd like for this to become standard practice when new services are submitted for review.
