[systemd-bugs] [Bug 80169] please introduce more special targets for facilities like entropy, or netfilter rules

Wed Jun 18 13:34:39 PDT 2014

https://bugs.freedesktop.org/show_bug.cgi?id=80169

--- Comment #3 from Christoph Anton Mitterer <calestyo at scientia.net> ---
Oh and for things like entropy (btw: please read the thread at Debian, since I
think I've tried to explain most such questions/ideas there already)...

systemd-random-seed-load.service loads, AFAIU, the random seed file. Not more
not less.

What I was talking about are entropy serivces like ekeyed (for the simtec
entropy key), haveged, audioentropyd, etc.

I guess these should mostly not load that early... (at least not with a hard
Required[By]= dependency)...

But for services like httpd... it maybe crucial that they're in place...
actually not just from a security POV, but also (when they use blocking
/dev/random) from a availability POV.

Basically, I'd propose the same schema for entropy, like the one for
network-security.target above.

- Have a special target: entropy-services.target (or some better name)
- Teach people: If your service/program does any crypto or other usage of
entropy which is more than throwing the dice in some game:
Require+Before=entropy-services.target
- Services that actually provide these services (haveged, etc. pp.) should
default to RequiredBy+Before=entropy-services.target
- Teach people how they selectively change the hard dependency to a soft one...
e.g. by changing the RequiredBy=entropy-services.target in haveged.service to a
WantedBy=

Bon!

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20140618/b3722f98/attachment.html>