Bug#914297: apache2: getrandom call blocks on first startup, systemd kills with timeout

Michael Biebl biebl at debian.org
Mon Dec 17 12:56:36 GMT 2018


Am 17.12.18 um 13:52 schrieb Stefan Fritsch:
> On Mon, 17 Dec 2018, Michael Biebl wrote:
>>> It turns out there was a similar bug against openssh which was closed as 
>>> wontfix [1]. I don't see how apache can do anything about this, either.
>>
>> There is. Don't request high-quality randomness during boot unless you
>> explicitly need it.
> 
> That's utterly wrong. We do crypto and need high-quality randomness. There 
> can be no discussion about this. The system needs to make sure that we 
> have entropy when we start network daeamons.

You can't generate entropy out of thin air unfortunately.

> The whole point of the getrandom() interface is that it cannot fail and 
> that its users don't need potentially buggy fallback code. If you break 
> that assumption, you will introduce security issues in the network daemons 
> that use weak entropy just in order to not block.

What I was suggesting is that you don't use getrandom() for places where
you don't need it.
Anyway, your anger should not be directed at systemd here.
It's the wrong recipient.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20181217/85e8a451/attachment-0001.sig>


More information about the Pkg-systemd-maintainers mailing list