Bug#914297: apache2: getrandom call blocks on first startup, systemd kills with timeout

[Stefan Fritsch]

On Mon, 17 Dec 2018, Michael Biebl wrote:

> Am 17.12.18 um 13:52 schrieb Stefan Fritsch:
> > On Mon, 17 Dec 2018, Michael Biebl wrote:
> >>> It turns out there was a similar bug against openssh which was closed as 
> >>> wontfix [1]. I don't see how apache can do anything about this, either.
> >>
> >> There is. Don't request high-quality randomness during boot unless you
> >> explicitly need it.
> > 
> > That's utterly wrong. We do crypto and need high-quality randomness. There 
> > can be no discussion about this. The system needs to make sure that we 
> > have entropy when we start network daeamons.
> 
> You can't generate entropy out of thin air unfortunately.

But we have good entropy on disk. And it's in the kernel. We just need to 
tell the kernel.

> 
> > The whole point of the getrandom() interface is that it cannot fail and 
> > that its users don't need potentially buggy fallback code. If you break 
> > that assumption, you will introduce security issues in the network daemons 
> > that use weak entropy just in order to not block.
> 
> What I was suggesting is that you don't use getrandom() for places where
> you don't need it.
> Anyway, your anger should not be directed at systemd here.
> It's the wrong recipient.

No, it isn't.