| 1 |
On Wednesday 07 May 2014 15:12:53 James wrote: |
| 2 |
|
| 3 |
> So please continue the "protage" thread discussion, but also a wider thread |
| 4 |
> concerning other source downloads. Afterall, *if" you can inject* into |
| 5 |
> sources, which are then compiled, who checks under the under_garments? |
| 6 |
|
| 7 |
Ha! You need to go a few clicks back, or should I say under? What if the |
| 8 |
hash algo itself is borked and collisions are becoming accepted? What if the |
| 9 |
RNG you use on your PC is either backdoored by Intel (if hardware generated), |
| 10 |
or it has such a low entropy that it is trivial to crack its algorithmic |
| 11 |
derivatives. |
| 12 |
|
| 13 |
I was quite surprised to see that the random pool available on a laptop I was |
| 14 |
working on at the time, was exceedingly lower than the 4096 max entropy. |
| 15 |
|
| 16 |
Try this to see yours: cat /proc/sys/kernel/random/entropy_avail |
| 17 |
|
| 18 |
I now run sys-apps/haveged in the background, at least when I am generating |
| 19 |
ssl/gpg/ssh keys. |
| 20 |
|
| 21 |
|
| 22 |
> [1] |
| 23 |
> http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-r |
| 24 |
> epair-claims-creator-of-libressl-fork/ |
| 25 |
|
| 26 |
Useful to know someone is cleansing the code. Thanks for sharing! |
| 27 |
|
| 28 |
-- |
| 29 |
Regards, |
| 30 |
Mick |
Archives