GNU bug report logs

#29773 urandom-seed-service should run earlier in the boot process

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #11 received at 29773@debbugs.gnu.org (full text, mbox, reply):

Received: (at 29773) by debbugs.gnu.org; 20 Dec 2017 10:19:41 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 20 05:19:41 2017
Received: from localhost ([127.0.0.1]:43160 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eRbTR-0006qa-6Z
	for submit@debbugs.gnu.org; Wed, 20 Dec 2017 05:19:41 -0500
Received: from hera.aquilenet.fr ([141.255.128.1]:45300)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1eRbTP-0006qS-DH
 for 29773@debbugs.gnu.org; Wed, 20 Dec 2017 05:19:40 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id C86B110556;
 Wed, 20 Dec 2017 11:19:41 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id H07lYe7ISJGD; Wed, 20 Dec 2017 11:19:41 +0100 (CET)
Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id BF5B92FDA;
 Wed, 20 Dec 2017 11:19:40 +0100 (CET)
From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#29773: urandom-seed-service should run earlier in the boot
 process
References: <20171219191348.GA19177@jasmine.lan>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 30 Frimaire an 226 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Wed, 20 Dec 2017 11:19:36 +0100
In-Reply-To: <20171219191348.GA19177@jasmine.lan> (Leo Famulari's message of
 "Tue, 19 Dec 2017 14:13:48 -0500")
Message-ID: <87tvwlzop3.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 3.8 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Hello, Leo Famulari <leo@famulari.name> skribis: > In some
 cases, the applications require some random data before any > services are
 started, during activation. For example, our OpenSSH > service generates
 its host keys during activation. And even if it > generated host keys during
 the start of the OpenSSH service,
 that > service does not depend on urandom-seed-service.
 [0] > > In systemd, there is an abstract sysinit "target" that basically
 serves > as a checkpoint. All the lower-level system initialization is
 required
 > before the sysinit.target is met, and the rest of the services depend on
 > sysinit. The random seeding is part of sysinit. I've reproduced a graph
 > of this in [1]. [...] 
 Content analysis details:   (3.8 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 2.8 PERCENT_RANDOM         Message has a random macro in it
X-Debbugs-Envelope-To: 29773
Cc: 29773@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 3.8 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Hello, Leo Famulari <leo@famulari.name> skribis: > In some
    cases, the applications require some random data before any > services are
    started, during activation. For example, our OpenSSH > service generates
   its host keys during activation. And even if it > generated host keys during
    the start of the OpenSSH service, that > service does not depend on urandom-seed-service.
    [0] > > In systemd, there is an abstract sysinit "target" that basically
   serves > as a checkpoint. All the lower-level system initialization is required
    > before the sysinit.target is met, and the rest of the services depend on
    > sysinit. The random seeding is part of sysinit. I've reproduced a graph
    > of this in [1]. [...] 
 
 Content analysis details:   (3.8 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  2.8 PERCENT_RANDOM         Message has a random macro in it

[Message part 1 (text/plain, inline)]
Hello,

Leo Famulari <leo@famulari.name> skribis:

> In some cases, the applications require some random data before any
> services are started, during activation. For example, our OpenSSH
> service generates its host keys during activation. And even if it
> generated host keys during the start of the OpenSSH service, that
> service does not depend on urandom-seed-service. [0]
>
> In systemd, there is an abstract sysinit "target" that basically serves
> as a checkpoint. All the lower-level system initialization is required
> before the sysinit.target is met, and the rest of the services depend on
> sysinit. The random seeding is part of sysinit. I've reproduced a graph
> of this in [1].

There’s a ‘user-processes’ service that serves a similar purpose.

With the attached patches ‘urandom-seed’ becomes a dependency of
‘user-processes’, meaning that daemons & co. start after
‘urandom-seed’.

WDYT?

> In practice, I'm not sure if it matters. I'd appreciate if GuixSD users
> could check /var/log/messages for warnings like this one and report
> them:
>
> random: application: uninitialized urandom read (16 bytes read) 

I don’t have any of these.  I guess this is most likely to happen when
running ‘ssh-keygen’ on startup, which isn’t the case on my machine.

Ludo’.


[0002-services-urandom-seed-Become-a-dependency-of-user-pr.patch (text/x-patch, attachment)]
[0001-services-user-processes-service-type-can-now-be-exte.patch (text/x-patch, attachment)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 16:58:08 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.