From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from vps-1010511-3500.united-hoster.de ([81.20.132.56] helo=rohieb.name) by metis.ext.pengutronix.de with esmtp (Exim 4.84_2) (envelope-from ) id 1c7uNw-0002YC-Ux for ptxdist@pengutronix.de; Sat, 19 Nov 2016 02:24:05 +0100 Received: from [192.168.178.246] (p5DDFE7A7.dip0.t-ipconnect.de [93.223.231.167]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: rohieb@rohieb.name) by rohieb.name (Postfix) with ESMTPSA id 5BBB32596284 for ; Sat, 19 Nov 2016 02:23:34 +0100 (CET) References: <20161118142136.522f66c2@erd980> <20161118171557.GA2369@archie.localdomain> From: Roland Hieber Message-ID: <283bbede-a186-1f2d-6909-e662c159e22e@rohieb.name> Date: Sat, 19 Nov 2016 02:23:29 +0100 MIME-Version: 1.0 In-Reply-To: <20161118171557.GA2369@archie.localdomain> Subject: Re: [ptxdist] Python 3.5 and the use of getrandom() system call List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: multipart/mixed; boundary="===============1623067676==" Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============1623067676== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="S0Pu5e7fLwVr0vXiFKdD8cQVQvDFQjuck" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --S0Pu5e7fLwVr0vXiFKdD8cQVQvDFQjuck Content-Type: multipart/mixed; boundary="UMQalXXVwjuUjIHlE3hKglFUclgxWcJu3"; protected-headers="v1" From: Roland Hieber To: ptxdist@pengutronix.de Message-ID: <283bbede-a186-1f2d-6909-e662c159e22e@rohieb.name> Subject: Re: [ptxdist] Python 3.5 and the use of getrandom() system call References: <20161118142136.522f66c2@erd980> <20161118171557.GA2369@archie.localdomain> In-Reply-To: <20161118171557.GA2369@archie.localdomain> --UMQalXXVwjuUjIHlE3hKglFUclgxWcJu3 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 18.11.2016 18:15, Clemens Gruber wrote: > It's probably a bad idea to just patch python for every PTXdist user. > Not everybody is willing to trade security for faster start times. Judging from Python-3.5.0/Python/random.c:118, it will use the getrandom() syscall with flags=3D0, and according to the getrandom(2) man= page, this will read from /dev/urandom, and also block if the nonblocking entropy pool is not initialized yet. (The man page also mentions explicitly that the random bytes returned by it can be used for cryptographic purposes, for all else, see Filippo Valsordas talk at 32c3 [0] ;-)) So, even if it does not solve the original problem (long boot times), I see nothing wrong with doing this for every user. [0]: https://www.youtube.com/watch?v=3DQ8JAlZ-HJQI > Besides, not having enough entropy will lead to other problems as well.= Oh, could you please elaborate on that? :-) - Roland --UMQalXXVwjuUjIHlE3hKglFUclgxWcJu3-- --S0Pu5e7fLwVr0vXiFKdD8cQVQvDFQjuck Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYL6mVAAoJELJBPGbdLD/q29UP/3MwwWREMQTD3OJ+QQ6G/lST MQCqXifNLF/GoFaomkpA+Ie7xcuzzuXnA4rBF9rZI+dhsdZJy9ZGUE8UUF8K5YRH IhgHc00qkXRwPy9W27W4smLVfAGBZ2aNXfaPLu5uyI6sT50ZUFnwq5oD1Rbh10T0 PSPmf3wItKJR1uOEk/zmibY8daosSq/tCw96vEQCN1E/hQ69kAFUx2zKV8+9Yaf2 +5sY6OWWcrffiC4PDXG1F2IaKtBkdew4fC+coyCenLsgeRQwIq4wpm8Z0a9lT6Ae 4va05wKEcB1d2orrPcy2mokxEJopC+hCm3JdzRbG76Soe9KWAvkIRsOyUHFTLRXJ LIp4cplhtlH8Ort6lSelRBR/rlP+Wc6AclR+iMEcnjhfkRV0kFGGuGoAynRE3E4y kj8DHzp0DHVLajVJtzAUf1sju0caG8+LwHiDaxGTq5TE+HDwIdC7iDVt7sfH4iVa NWlOhqo3Nc2YC3+eeCSC9HEZtjqAOSimmW9ddHpciqvyWXgOe04G1NbTeVx5DRgL v+gu78sBNMpWR3IRkTWJifRUTGNYzIq1I+D9iYm/THDAmZu494UqnCuAsb+QIOfJ bBOgc2nEYw5KBTMzHn30i4UcOnm0Ae1CwXKlR9mPC7WzeB1+Qo17vpLBsdljr6oF UeBaZm6Byl4rpONcq/IR =UH5Q -----END PGP SIGNATURE----- --S0Pu5e7fLwVr0vXiFKdD8cQVQvDFQjuck-- --===============1623067676== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KcHR4ZGlzdCBt YWlsaW5nIGxpc3QKcHR4ZGlzdEBwZW5ndXRyb25peC5kZQ== --===============1623067676==--