Re: where to set/override entropy $random_file location?

[Steve Rikli <sr%genyosha.net@localhost>]

On Sun, Oct 12, 2025 at 07:40:48PM -0400, Greg Troxel wrote:
> Steve Rikli <sr%genyosha.net@localhost> writes:
>
> > It's worth noting that sysinst creates a working entropy config during
> > initial install, as you'd hope.  E.g. if / and /var/ are separate
> > filesystems, sysinst creates /boot.cfg with these rndseeds:
> >
> >   menu=Boot normally:rndseed /etc/entropy-file;boot
> >   menu=Boot single user:rndseed /etc/entropy-file;boot -s
> >
> > and /etc/rc.conf gets this setting:
> >
> >   random_file=/etc/entropy-file
> >
> > this is functional and requires no manual changes, so that's good. But
> > again it doesn't match security.conf(5) documentation or the
> > /etc/defaults/{security,rc}.conf contents, and will result in a separate
> > /var/db/entropy-file being created by /etc/security.
> 
> Which is harmless to create, but pointless as it is not read ob boot.

Yeah. Also contributes to the technical mess you mentioned, wastes a
tiny bit of diskspace, and presumably a few compute cycles now and then
to re-create the file etc. Mostly it's just pointless, as you say.

> >>   The location of the file should be defined in one place, and rc.conf
> >>   is the right place.
> >
> > I tend to agree. Given sysinst behavior, I'm inclined to suggest moving
> > this line:
> >
> >   random_file=/var/db/entropy-file
> >
> > from /etc/defaults/security.conf into /etc/defaults/rc.conf , and
> > similarly moving the security.conf(5) entry for "random_file" into the
> > rc.conf(5) man page. /etc/security would need updating in that case,
> > to define the new method for determining $random_file location.
> 
> Agreed, except I think it should just call /etc/rc.d/random_seed.

Ah, I hadn't considered that. After briefly looking at FreeBSD's cron
for regular entropy regeneration, I wondered if perhaps that duty needs
to be part of NetBSD /etc/security script at all. I suppose it's a
convenient place for it, since it's already part of the daily cron.

> I suspect given the lack of other cranky comments, we're in a "patches
> welcome" state.

I was thinking I'd give it another day or so and then put in a PR, at
least as a placeholder to capture and summarize this thread. Is that
worthwhile?

In previous PR's I described and/or cut-pasted problems and suggested
fixes in the gnats form/email, and good things often happened after
that.  :-)

While I've submitted a few PR's in the past, I've never contributed
code, diffs, patches, etc. to NetBSD. Frankly it's even been a while
since I used build.sh or pkgsrc -- I've been almost entirely using
binary updates since I returned to running a few NetBSD systems.

In short, I'm not a developer. But for areas like this, which are more
like systems config and scripts than kernels and libs and such, I might
be able to help a little.

Is there a getting started primer in the wiki or the Guide? I searched a
bit but not thoroughly; so e.g. I don't really know where to start for
something like "generate diffs and make a patch for these config files
and man pages, and here's how/where to submit them".

Pointers welcomed.

Cheers,
sr.