On Thu, Jul 15, 2010 at 11:51, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Thu, 15.07.10 11:01, Stephen John Smoogen (smooge@xxxxxxxxx) wrote: > >> > I am aware that doing things during package installation instead of >> > first-boot is problematic for system images that are distributed and >> > booted from multiple machines. Maybe for those cases (where r/o root >> > isn't doable) we should provide some easy infrastructure to generate all >> > keys on boot, controlled by some central switch. >> >> I think this was looked at way in the past.. the issue was that there >> wasn't enough entropy to build all of them during install or first >> boot. This caused things to lock up as it was using /dev/random as >> /dev/urandom was not considered good enough for this. > > Hmm, are you saying there is neither enough entropy at install nor on > first boot? When do you want to create the certs then? I am saying there wasn't. I do not know about now... install environments are funky so I would not assume that the entropy there is 'good-enough' for cert creation. I do not know if there is enough at First boot these days or if urandom is good enough now. Those would be something from the security team would be better at. > Lennart > > -- > Lennart Poettering - Red Hat, Inc. > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. "We have a strategic plan. It's called doing things."" — Herb Kelleher, founder Southwest Airlines -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
