[arch-general] archlinux-keyring & entropy
I'm not sure if [1] is the official announcement, but I'd like to point out that # pacman-key --init gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created gpg: no ultimately trusted keys found gpg: Generating pacman keychain master key... seems to hang forever unless you run 'updtedb' or something so the entropy problem should be covered, as suggested in [2]. [2] mentions "SigLevel = Required" while [1] tells you to set "SigLevel = PackageRequired" - I assume because the databases are not signed yet. [1] https://pierre-schmitz.com/verify-all-the-packages/ [2] http://mailman.archlinux.org/pipermail/arch-dev-public/2012-April/022785.htm...
On Tue, 17 Apr 2012 11:37:29 +0200 Karol Blazewicz wrote:
seems to hang forever unless you run 'updtedb' or something so the entropy problem should be covered, as suggested in [2].
Maybe something like haveged would fix that but the OpenBSD devs weren't that impressed with it. ________________________________________________________________
I was looking at this entropy gatherer (havege) and was wondering if OpenBSD uses any similar techniques?
www.irisa.fr/caps/projects/hipsor/
Broadly speaking, yes. "HAVEGE combines on-the-fly hardware volatile entropy gathering with pseudo-random number generation." This is the way all practical random number generators now work, including OpenBSD's kernel one, Yarrow as implemented e.g. by FreeBSD, or even Intel's on-chip Bull Mountain. I don't want to sound too disparaging of the HAVEGE people, but once you cut through the bluster, what remains is that they use the processor cycle counter as their sole source of entropy, which they then feed into their own deterministic pseudo-random number generator. I suspect their choice of entropy source will not find general approval *cough, cough*, and rather than designing your own PRNG to stretch the randomness, you can do what OpenBSD and Intel did and just use an off-the-shelf cryptographic stream cipher.
participants (2)
-
Karol Blazewicz
-
Kevin Chadwick