FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 04-17-2012, 09:37 AM
Karol Blazewicz
 
Default archlinux-keyring & entropy

I'm not sure if [1] is the official announcement, but I'd like to
point out that

# pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: Generating pacman keychain master key...

seems to hang forever unless you run 'updtedb' or something so the
entropy problem should be covered, as suggested in [2].
[2] mentions "SigLevel = Required" while [1] tells you to set
"SigLevel = PackageRequired" - I assume because the databases are not
signed yet.


[1] https://pierre-schmitz.com/verify-all-the-packages/
[2] http://mailman.archlinux.org/pipermail/arch-dev-public/2012-April/022785.html
 
Old 04-17-2012, 10:34 AM
Kevin Chadwick
 
Default archlinux-keyring & entropy

On Tue, 17 Apr 2012 11:37:29 +0200
Karol Blazewicz wrote:

> seems to hang forever unless you run 'updtedb' or something so the
> entropy problem should be covered, as suggested in [2].

Maybe something like haveged would fix that but the OpenBSD devs
weren't that impressed with it.


__________________________________________________ ______________

> I was looking at this entropy gatherer (havege) and was wondering if
> OpenBSD uses any similar techniques?
>
> www.irisa.fr/caps/projects/hipsor/

Broadly speaking, yes.

"HAVEGE combines on-the-fly hardware volatile entropy gathering with
pseudo-random number generation."

This is the way all practical random number generators now work,
including OpenBSD's kernel one, Yarrow as implemented e.g. by
FreeBSD, or even Intel's on-chip Bull Mountain.

I don't want to sound too disparaging of the HAVEGE people, but
once you cut through the bluster, what remains is that they use the
processor cycle counter as their sole source of entropy, which they
then feed into their own deterministic pseudo-random number generator.

I suspect their choice of entropy source will not find general
approval *cough, cough*, and rather than designing your own PRNG
to stretch the randomness, you can do what OpenBSD and Intel did
and just use an off-the-shelf cryptographic stream cipher.
 

Thread Tools




All times are GMT. The time now is 04:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org