[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Waiting for Randot (or: nia and maya were right and I was wrong)
Taylor R Campbell wrote:
> > Even if the unblocking criteria of Linux and FreeBSD are questionable,
> > they still provide more security than your proposal which amounts to
> > having extremely strict criteria but then completely ignoring.
> This is not accurate. The strict criterion is still available _for
> system integration_, which is where the problem needs to be solved
> anyway, just like other security measures like securelevel and
For the Nth time: if the problem is solved at the system integration
level, there will be no blocking and therefore no need for your
> > Which is why we should deal with the issue by creating an entropy seed
> > at the time of installation or first boot.
> We already do this, and it incorporates any entropy obtained during
> the installation process.
We already had this discussion in the context of PR 55659:
me> Second, make sure that most systems have sufficient entropy, for
me> example by creating a random seed file at installation or upgrade
you> We already do this example.
me> We already create a seed file at installation time, but in many cases
me> it has an entropy estimate of zero, so it doesn't actually actually help.
me> I believe Martin is working on fixing this.
> > To start with, we should re-enable the code Martin already added to
> > sysinst to prompt the user for missing entropy at install time, and we
> > should continue to work on making it easier to use.
> It's not just a prompt -- it will make users feel _trapped_ and hate
> the whole thing, in an installer that already has too many mandatory
> incomprehensible questions. As a matter of user experience, a
> mandatory question like this that gets in the way of doing anything
> else is a dead end.
I think a major reason why users felt trapped was the unfortunate
user interface design choice of requiring the user to terminate the
manual entropy input with an empty line. As I wrote to Martin:
One thing that could be done to make the UI easier to use would be to
ask the user for a single line of input rather than multiple lines.
The "Terminate the input with an empty line" thing is not really
intuitive; when you enter a line of random data and press enter, the
"2:" prompt gives you the impression that what you already entered is
not considered sufficient, so instead of just pressing enter again the
user may choose to enter some more random characters before pressing
enter again, and then it still looks like it's not enough, ad infinitum.
I for one did feel trapped by this, but it's easily fixed. I also
think the UI is too complicated and intimidating in general and
needs to be simplified. But I still think sysinst is the best place
to do this, and certainly more user friendly than being dropped into
single user mode on boot.
Andreas Gustafsson, gson%gson.org@localhost
Main Index |
Thread Index |