On Tue, Jun 20, 2017 at 7:38 PM, Theodore Ts'o <tytso@xxxxxxx> wrote: > On Tue, Jun 20, 2017 at 11:49:07AM +0200, Jason A. Donenfeld wrote: >> ... >>> I more or less agree with you that we should just turn this on for all >>> users and they'll just have to live with the spam and report odd >>> entries, and overtime we'll fix all the violations. > > There seems to be a fundamental misapprehension that it will be easy > to "fix all the violations". For certain hardware types, this is > not easy, and the "eh, let them get spammed until we get around to > fixing it" attitude is precisely what I was pushing back against. I can't speak for others, but for me: I think they will fall into three categories: 1. easy to fix 2. difficult to fix 3. unable to fix (1) is low hanging fruit and they will probably (hopefully?) be cleared easily. Like systemd on x86_64 with rdrand and rdseed. There's no reason for systemd to find itself starved of entropy on that platform. (cf., http://github.com/systemd/systemd/issues/4167). Organizations that find themselves in (3) can choose to use a board or server and accept the risk, or they can choose to remediate it in another way. The "other way" may include a capital expenditure and a hardware refresh. The central point is, they know about the risk and they can make the decision. Jeff