Personally, I'm happy with anything that your average high school student is unlikely to be able to crack in an hour. I don't run a bank, or a military installation, and I'm not the NSA. If someone is prepared to put in the effort required to break into my systems, then let them, it isn't worth the cost to prevent that tiny chance. That's the same way that my house has ordinary locks - I'm sure they can be picked by someone who knows what they're doing, and better security is available, at a price, but a nice happy medium is what fits me best.
FWIW, I used to work for a company whose marketing motto was Good enough isn't! But I definitely agree with you - what we used to have is "good enough" for the vast bulk of our users and potential users. Perhaps sysinst(8) should ask Do you need a hyper-secure system? If yes, then leave things as they are today. But if you answer no, we should automatically copy enough pseudo-entropy bits to /dev/rnd to prevent future blocking. +--------------------+--------------------------+-----------------------+ | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | | (Retired) | FA29 0E3B 35AF E8AE 6651 | paul%whooppee.com@localhost | | Software Developer | 0786 F758 55DE 53BA 7731 | pgoyette%netbsd.org@localhost | +--------------------+--------------------------+-----------------------+