1 |
On Wednesday 07 May 2014 15:12:53 James wrote: |
2 |
|
3 |
> So please continue the "protage" thread discussion, but also a wider thread |
4 |
> concerning other source downloads. Afterall, *if" you can inject* into |
5 |
> sources, which are then compiled, who checks under the under_garments? |
6 |
|
7 |
Ha! You need to go a few clicks back, or should I say under? What if the |
8 |
hash algo itself is borked and collisions are becoming accepted? What if the |
9 |
RNG you use on your PC is either backdoored by Intel (if hardware generated), |
10 |
or it has such a low entropy that it is trivial to crack its algorithmic |
11 |
derivatives. |
12 |
|
13 |
I was quite surprised to see that the random pool available on a laptop I was |
14 |
working on at the time, was exceedingly lower than the 4096 max entropy. |
15 |
|
16 |
Try this to see yours: cat /proc/sys/kernel/random/entropy_avail |
17 |
|
18 |
I now run sys-apps/haveged in the background, at least when I am generating |
19 |
ssl/gpg/ssh keys. |
20 |
|
21 |
|
22 |
> [1] |
23 |
> http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-r |
24 |
> epair-claims-creator-of-libressl-fork/ |
25 |
|
26 |
Useful to know someone is cleansing the code. Thanks for sharing! |
27 |
|
28 |
-- |
29 |
Regards, |
30 |
Mick |