From owner-freebsd-rc@FreeBSD.ORG Fri Sep 14 15:38:10 2012 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 045431065672; Fri, 14 Sep 2012 15:38:10 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 8E2EF8FC17; Fri, 14 Sep 2012 15:38:09 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id DB9F5496; Fri, 14 Sep 2012 17:29:24 +0200 (CEST) Date: Fri, 14 Sep 2012 17:30:30 +0200 From: Pawel Jakub Dawidek To: d@delphij.net Message-ID: <20120914153030.GA2146@garage.freebsd.pl> References: <86sjao7q8c.fsf@ds4.des.no> <20120911205302.27484fd6@gumby.homeunix.com> <20120911200925.GA88456@dragon.NUXI.org> <504FA76A.5000209@delphij.net> <20120911211730.GB89188@dragon.NUXI.org> <504FAB87.3020701@delphij.net> <20120911215212.GA89515@dragon.NUXI.org> <504FBD15.8040907@delphij.net> <20120911224855.GE14077@x96.org> <504FC2BD.6070402@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: <504FC2BD.6070402@delphij.net> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Arthur Mesh , Doug Barton , freebsd-rc@freebsd.org, obrien@freebsd.org, freebsd-security@freebsd.org, RW , Dag-Erling ??? Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 15:38:10 -0000 --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 11, 2012 at 04:01:17PM -0700, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 > On 09/11/12 15:48, Arthur Mesh wrote: > > On Tue, Sep 11, 2012 at 03:37:09PM -0700, Xin Li wrote: > >> Using gzip is better than not using it though, since 4k worth of=20 > >> compressed data is better than 4k worth of plain text because of=20 > >> higher entropy destiny (note that the FreeBSD gzip uses 64K of=20 > >> input/output buffer for compression by the way so maybe only the > >> first 64K is meaningful if we take only 4k of output). > >=20 > > Since there is 1:1 correspondence between compressed and > > uncompressed data, entropy should be the same in both. I am not > > sure it's better to use compression than not -- you do end up > > seeding fewer bytes to yarrow, but you spend more CPU cycles > > compressing it... >=20 > Well, 1:1 correspondence is when we fed full text to /dev/random, > which we don't, right? Only the first 4K gets consumed. So: >=20 > Situation 1: we have 45K of plain text, and only first 4k is fed to > /dev/random at about 5 bits of entropy per byte; 5 bits of entropy per byte from 'sysctl -a' output??? Xin, you are way, way too optimistic. This is plain text, so one bit is mostly unused, so we have 7 usable bits. Out of those 7 bits you claim that 5 on averge is unpredictable? In other words do you think 5/7 (~71%) of this output is unpredictable? It would be great if 1% would be unpredictable, but I highly doubt it. But this is not the point, the point is to colect at least 128 bits in total from those 45kB, so ~0.28% of unpredictable output would be enough if we can of course feed everything into yarrow. Also, compression can definiately increase entropy per byte, but IMHO it can also lose some entropy overall. With lossless compression you don't lose data, but I don't believe you can say that you don't lose entropy. I don't recall who said this (Arthur?), but I fully agree that we should fix yarrow, /dev/random or whatever is dropping the input after 4kB. If we can't do that, then we should hash it with sha512 this way the entropy will be reduced to 512 bits (if there is more entropy in the input) which should be enough for yarrow to be happy. Also note that gzip is currently in /usr/bin/ and /usr/ might not be yet mounted when we do that. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBTTZUACgkQForvXbEpPzThjgCgwIGsrhYP93yOt97kqPpQdRab nNYAoJPYvArhjZXZbGH/57tdU9R/fOe0 =VDbY -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx--