lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 05 Dec 2007 08:26:19 -0600
From:	Mike McGrath <>
To:	Matt Mackall <>
CC:	Alan Cox <>, Theodore Tso <>,
	Ray Lee <>, Adrian Bunk <>,
	Marc Haber <>,
Subject: Re: Why does reading from /dev/urandom deplete entropy so much?

Matt Mackall wrote:
> On Tue, Dec 04, 2007 at 04:23:12PM -0600, Mike McGrath wrote:
>> Matt Mackall wrote:
>>> On Tue, Dec 04, 2007 at 03:18:27PM -0600, Mike McGrath wrote:
>>>> Matt Mackall wrote:
>>>>> which would have been in v2.6.22-rc4 through the normal CVE process.
>>>>> The only other bits in there are wall time and utsname, so systems
>>>>> with no CMOS clock would behave repeatably. Can we find out what
>>>>> kernels are affected?
>>>> We can but it will likely take a few weeks to get a good sampling. UUID 
>>>> is unique in the db so when someone checks in with the same UUID, the 
>>>> old one gets overwritten.
>>> We can probably assume that for whatever reason the two things with
>>> duplicate UUID had the same seed. If not, we've got -much- bigger
>>> problems.
>> Ok, I think I see whats going on here. I have some further investigation 
>> to do but it seems that the way our Live CD installer works is causing 
>> these issues. I'm going to try to grab some live CD's and hardware to 
>> confirm but at this point it seems thats whats going on.
> Alright, keep me posted. We probably need a scheme to make the initial
> seed more robust regardless of what you find out

Ok, whats going on here is an issue with how the smolt RPM installs the 
UUID and how Fedora's Live CD does an install.  It's a complete false 
alarm on the kernel side, sorry for the confusion.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists