Bug#914297: apache2: getrandom call blocks on first startup, systemd kills with timeout
Stefan Fritsch
sf at sfritsch.de
Mon Dec 17 12:52:09 GMT 2018
On Mon, 17 Dec 2018, Michael Biebl wrote:
> > It turns out there was a similar bug against openssh which was closed as
> > wontfix [1]. I don't see how apache can do anything about this, either.
>
> There is. Don't request high-quality randomness during boot unless you
> explicitly need it.
That's utterly wrong. We do crypto and need high-quality randomness. There
can be no discussion about this. The system needs to make sure that we
have entropy when we start network daeamons.
The whole point of the getrandom() interface is that it cannot fail and
that its users don't need potentially buggy fallback code. If you break
that assumption, you will introduce security issues in the network daemons
that use weak entropy just in order to not block.
Cheers,
Stefan
More information about the Pkg-systemd-maintainers
mailing list