On Mon, Sep 21, 2020 at 10:40:37AM +0200, Stephan Mueller wrote: > Am Montag, 21. September 2020, 09:58:16 CEST schrieb Nicolai Stange: > > > - people dislike the approach of having two competing implementations for > > what is basically the same functionality in the kernel. > > Is this really so bad considering the security implications on this topic? We > also have multiple file systems, multiple memory allocators, etc... Exactly. I thought Linux was about the freedom of choice. Some people choose to get a FIPS certification for their Linux-based products, which mostly means to restrict crypto capabilities to an "allowed" set, granted. But in this case people might opt for some sort of "entropy QA". I find it hard to accept that this option is suppressed, especially if it's because of personal antipathy of the maintainer about the origin of this change and not for technical reasons. Restrictions on cryptographic functionality are ok, but health tests on entropy sources are not? I do understand people's reluctance after the dual-ECC DRBG desaster, but OTOH SElinux is generally considered an improvement. Definitely not everything coming from that direction is tainted. A big portion of this patch set is cleanup, another one said introduction of entropy source monitoring. This is important, no matter what your attitude towards certifications might be. Torsten
