Debian Bug report logs - #662736
RFP: maxwell -- entropy-gathering daemon

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Sandy Harris <sandyinchina@gmail.com>

Date: Tue, 6 Mar 2012 05:03:05 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#662736; Package maxwell. (Tue, 06 Mar 2012 05:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sandy Harris <sandyinchina@gmail.com>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. (Tue, 06 Mar 2012 05:03:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sandy Harris <sandyinchina@gmail.com>
To: submit@bugs.debian.org
Subject: Re: RFP: maxwell(8) entropy-gathering demon
Date: Tue, 6 Mar 2012 13:01:30 +0800
Package: maxwell
Version: 1.2

> This collects randomness from timer interrupts and feeds it to random(4).
> It is mainly useful on very limited systems -- phone. embedded, ....
> It may be essential on some Freedom Box systems.
>
> Code and a PDF rationale document at:
> ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/
>
> License is GPL v2.
>
> I am the author and am willing to assist as necessary, but
> I do not want to take on responsibilty for Debian packaging
> and maintenance.




Bug reassigned from package 'maxwell' to 'wnpp'. Request was from Gergely Nagy <algernon@madhouse-project.org> to control@bugs.debian.org. (Tue, 06 Mar 2012 06:42:03 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions 1.2. Request was from Gergely Nagy <algernon@madhouse-project.org> to control@bugs.debian.org. (Tue, 06 Mar 2012 06:42:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'RFP: maxwell -- entropy-gathering daemon' from 'RFP: maxwell(8) entropy-gathering demon' Request was from Gergely Nagy <algernon@madhouse-project.org> to control@bugs.debian.org. (Tue, 06 Mar 2012 06:42:04 GMT) Full text and rfc822 format available.

Severity set to 'wishlist' from 'normal' Request was from Gergely Nagy <algernon@madhouse-project.org> to control@bugs.debian.org. (Tue, 06 Mar 2012 06:42:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, wnpp@debian.org:
Bug#662736; Package wnpp. (Wed, 18 Jul 2012 03:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Pedro I. Sanchez" <pirivan.sanchez@gmail.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, wnpp@debian.org. (Wed, 18 Jul 2012 03:03:03 GMT) Full text and rfc822 format available.

Message #18 received at 662736@bugs.debian.org (full text, mbox):

From: "Pedro I. Sanchez" <pirivan.sanchez@gmail.com>
To: Debian Bug Tracking System <662736@bugs.debian.org>
Subject: ITP: maxwell -- entropy-gathering daemon
Date: Tue, 17 Jul 2012 23:01:19 -0400
Package: wnpp
Followup-For: Bug #662736
Owner: "Pedro I. Sanchez" <psanchez@fosstel.com>

Package: wnpp
Followup-For: Bug #662736
Owner: "Pedro I. Sanchez" <psanchez@fosstel.com>

Package: wnpp
Followup-For: Bug #662736
Owner: "Pedro I. Sanchez" <psanchez@fosstel.com>

Package: wnpp
Severity: wishlist

* Package name         : maxwell
  Version              : 1.2-1
  Upstream Author      : Sandy Harris <sandyinchina@gmail.com>
* URL                  : ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/
* License              : GPL v2
  Programming Language : C
* Description          : entropy-gathering daemon

Daemon to gather entropy from a timer and feed it to random(4).

maxwell collects randomness from the small variations in a system
timer, distills it into a concentrated form, and sends it to random (4).

The amount of output varies with the parameters chosen, but is
generally a few K bits per second. The quality is intended to be very high.
Both volume and quality should be adequate for most applications.

There are a number of other ways to feed entropy to random (4).
The advantage of maxwell is that it is small, simple and only minimally
hardware-dependent. The other methods also have advantages, and in many
cases one of them will be preferable to this one.


The package can be found on mentors.debian.net:

	http://mentors.debian.net/package/maxwell

This is an inital release.

TODO:

* Package to consider the fact that maxwell is a daemon.
* Create binaries for accompanying test programs.



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662736; Package wnpp. (Wed, 18 Jul 2012 16:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 18 Jul 2012 16:18:06 GMT) Full text and rfc822 format available.

Message #23 received at 662736@bugs.debian.org (full text, mbox):

From: intrigeri <intrigeri@debian.org>
To: "Pedro I. Sanchez" <pirivan.sanchez@gmail.com>
Cc: 662736@bugs.debian.org
Subject: Re: Bug#662736: ITP: maxwell -- entropy-gathering daemon
Date: Wed, 18 Jul 2012 14:41:23 +0200
Hi Pedro,

Pedro I. Sanchez wrote (18 Jul 2012 03:01:19 GMT) :
> * Package name         : maxwell
> [...]
> * Description          : entropy-gathering daemon

> [...]
> There are a number of other ways to feed entropy to random (4).

Yes, and as you for sure know, a few are in Debian already.

> The advantage of maxwell is that it is small, simple and only
> minimally hardware-dependent. The other methods also have
> advantages, and in many cases one of them will be preferable to
> this one.

I would be delighted to be pointed to a place when these many cases,
and reasons why/when other methods are preferable, are discussed in
a bit more details :)

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662736; Package wnpp. (Wed, 18 Jul 2012 20:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Eberhard Schauer <Martin.E.Schauer@gmx.de>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 18 Jul 2012 20:51:05 GMT) Full text and rfc822 format available.

Message #28 received at 662736@bugs.debian.org (full text, mbox):

From: Martin Eberhard Schauer <Martin.E.Schauer@gmx.de>
To: 662736@bugs.debian.org, debian-mentors@lists.debian.org
Cc: "Pedro I. Sanchez" <pirivan.sanchez@gmail.com>
Subject: Re: Bug#662736: ITP: maxwell -- entropy-gathering daemon
Date: Wed, 18 Jul 2012 22:43:23 +0200
> Package: wnpp
> Followup-For: Bug #662736
> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>
> Package: wnpp
> Followup-For: Bug #662736
> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>
> Package: wnpp
> Followup-For: Bug #662736
> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>
> Package: wnpp
> Severity: wishlist
>    
Hi Pedro,

if I understand things right, you missed a CC to

|  control@bugs.debian.org

and a separate line

   thanks

to make your control commands become effictive.
|
> * Package name         : maxwell
>    Version              : 1.2-1
>    Upstream Author      : Sandy Harris<sandyinchina@gmail.com>
> * URL                  : ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/
> * License              : GPL v2
>    Programming Language : C
> * Description          : entropy-gathering daemon
>
> Daemon to gather entropy from a timer and feed it to random(4).
>
> maxwell collects randomness from the small variations in a system
> timer, distills it into a concentrated form, and sends it to random (4).
>
> The amount of output varies with the parameters chosen, but is
> generally a few K bits per second. The quality is intended to be very high.
> Both volume and quality should be adequate for most applications.
>
> There are a number of other ways to feed entropy to random (4).
> The advantage of maxwell is that it is small, simple and only minimally
> hardware-dependent. The other methods also have advantages, and in many
> cases one of them will be preferable to this one.
>    
Please consider an informal review of the package description on
debian-l10n-english as well.

To me the first paragraph is an incomplete sentence and its
information is contained in the second as well. How about

    The maxwell daemon collects randomness from the small variations in a
    system timer, distills it into a concentrated form, and sends it to
    random(4).

And most of the last two paragraphs seems vague and trivial.

    Both volume and quality should be adequate for most applications.

A typical use case would help.

    The other methods also have advantages, and in many cases one of
    them will be preferable to this one.

The advantages are trivial. The alternate methods are not mentioned.
What are the criteria?

And perhaps some words on "why the name" would not hurt. Some people
primarly think of electromagnetic fields when they hear/read "Maxwell".

BTW: I strongly suggest s/random (4)/random(4)/ and appreciate the
hint to the manual page.


Martin





Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662736; Package wnpp. (Thu, 19 Jul 2012 00:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Pedro I. Sanchez" <psanchez@colcan.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 19 Jul 2012 00:06:05 GMT) Full text and rfc822 format available.

Message #33 received at 662736@bugs.debian.org (full text, mbox):

From: "Pedro I. Sanchez" <psanchez@colcan.ca>
To: Martin Eberhard Schauer <Martin.E.Schauer@gmx.de>
Cc: 662736@bugs.debian.org, debian-mentors@lists.debian.org
Subject: Re: Bug#662736: ITP: maxwell -- entropy-gathering daemon
Date: Wed, 18 Jul 2012 19:44:51 -0400
On 12-07-18 04:43 PM, Martin Eberhard Schauer wrote:
>
>> Package: wnpp
>> Followup-For: Bug #662736
>> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>>
>> Package: wnpp
>> Followup-For: Bug #662736
>> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>>
>> Package: wnpp
>> Followup-For: Bug #662736
>> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>>
>> Package: wnpp
>> Severity: wishlist
> Hi Pedro,
>
> if I understand things right, you missed a CC to
>
> |  control@bugs.debian.org
>
> and a separate line
>
>     thanks
>
> to make your control commands become effictive.
> |
>> * Package name         : maxwell
>>    Version              : 1.2-1
>>    Upstream Author      : Sandy Harris<sandyinchina@gmail.com>
>> * URL                  : ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/
>> * License              : GPL v2
>>    Programming Language : C
>> * Description          : entropy-gathering daemon
>>
>> Daemon to gather entropy from a timer and feed it to random(4).
>>
>> maxwell collects randomness from the small variations in a system
>> timer, distills it into a concentrated form, and sends it to random (4).
>>
>> The amount of output varies with the parameters chosen, but is
>> generally a few K bits per second. The quality is intended to be very
>> high.
>> Both volume and quality should be adequate for most applications.
>>
>> There are a number of other ways to feed entropy to random (4).
>> The advantage of maxwell is that it is small, simple and only minimally
>> hardware-dependent. The other methods also have advantages, and in many
>> cases one of them will be preferable to this one.
> Please consider an informal review of the package description on
> debian-l10n-english as well.
>
> To me the first paragraph is an incomplete sentence and its
> information is contained in the second as well. How about
>
>      The maxwell daemon collects randomness from the small variations in a
>      system timer, distills it into a concentrated form, and sends it to
>      random(4).
>
> And most of the last two paragraphs seems vague and trivial.
>
>      Both volume and quality should be adequate for most applications.
>
> A typical use case would help.
>
>      The other methods also have advantages, and in many cases one of
>      them will be preferable to this one.
>
> The advantages are trivial. The alternate methods are not mentioned.
> What are the criteria?
>
> And perhaps some words on "why the name" would not hurt. Some people
> primarly think of electromagnetic fields when they hear/read "Maxwell".
>
> BTW: I strongly suggest s/random (4)/random(4)/ and appreciate the
> hint to the manual page.
>
>
> Martin
>
>

Hi Martin,

Regarding the missing CC to control@bugs.debian.org, I didn't know about 
it. But I used reportbug to send the ITP bug update and I assumed that 
any standard CC would be taken care of by reportbug. Anyway, shall I 
copy the ITP bug to control@bugs.debian.org now? or is it too late?

Regarding the package description, I just copied the verbatim the text 
from the upstream maintainer. I'll take your comments into consideration 
for the next revision of the package.

Thank you for your comments.

-- 
Pedro I. Sanchez




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662736; Package wnpp. (Thu, 19 Jul 2012 00:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Pedro I. Sanchez" <psanchez@colcan.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 19 Jul 2012 00:54:03 GMT) Full text and rfc822 format available.

Message #38 received at 662736@bugs.debian.org (full text, mbox):

From: "Pedro I. Sanchez" <psanchez@colcan.ca>
To: Martin Eberhard Schauer <Martin.E.Schauer@gmx.de>
Cc: 662736@bugs.debian.org, debian-mentors@lists.debian.org
Subject: Re: Bug#662736: ITP: maxwell -- entropy-gathering daemon
Date: Wed, 18 Jul 2012 20:50:14 -0400
On 12-07-18 07:44 PM, Pedro I. Sanchez wrote:
> On 12-07-18 04:43 PM, Martin Eberhard Schauer wrote:
>>
>>> Package: wnpp
>>> Followup-For: Bug #662736
>>> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>>>
>>> Package: wnpp
>>> Followup-For: Bug #662736
>>> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>>>
>>> Package: wnpp
>>> Followup-For: Bug #662736
>>> Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
>>>
>>> Package: wnpp
>>> Severity: wishlist
>> Hi Pedro,
>>
>> if I understand things right, you missed a CC to
>>
>> |  control@bugs.debian.org
>>
>> and a separate line
>>
>>     thanks
>>
>> to make your control commands become effictive.
>> |
>>> * Package name         : maxwell
>>>    Version              : 1.2-1
>>>    Upstream Author      : Sandy Harris<sandyinchina@gmail.com>
>>> * URL                  : ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/
>>> * License              : GPL v2
>>>    Programming Language : C
>>> * Description          : entropy-gathering daemon
>>>
>>> Daemon to gather entropy from a timer and feed it to random(4).
>>>
>>> maxwell collects randomness from the small variations in a system
>>> timer, distills it into a concentrated form, and sends it to random (4).
>>>
>>> The amount of output varies with the parameters chosen, but is
>>> generally a few K bits per second. The quality is intended to be very
>>> high.
>>> Both volume and quality should be adequate for most applications.
>>>
>>> There are a number of other ways to feed entropy to random (4).
>>> The advantage of maxwell is that it is small, simple and only minimally
>>> hardware-dependent. The other methods also have advantages, and in many
>>> cases one of them will be preferable to this one.
>> Please consider an informal review of the package description on
>> debian-l10n-english as well.
>>
>> To me the first paragraph is an incomplete sentence and its
>> information is contained in the second as well. How about
>>
>>      The maxwell daemon collects randomness from the small variations
>> in a
>>      system timer, distills it into a concentrated form, and sends it to
>>      random(4).
>>
>> And most of the last two paragraphs seems vague and trivial.
>>
>>      Both volume and quality should be adequate for most applications.
>>
>> A typical use case would help.
>>
>>      The other methods also have advantages, and in many cases one of
>>      them will be preferable to this one.
>>
>> The advantages are trivial. The alternate methods are not mentioned.
>> What are the criteria?
>>
>> And perhaps some words on "why the name" would not hurt. Some people
>> primarly think of electromagnetic fields when they hear/read "Maxwell".
>>
>> BTW: I strongly suggest s/random (4)/random(4)/ and appreciate the
>> hint to the manual page.
>>
>>
>> Martin
>>
>>
>
> Hi Martin,
>
> Regarding the missing CC to control@bugs.debian.org, I didn't know about
> it. But I used reportbug to send the ITP bug update and I assumed that
> any standard CC would be taken care of by reportbug. Anyway, shall I
> copy the ITP bug to control@bugs.debian.org now? or is it too late?
>
> Regarding the package description, I just copied the verbatim the text
> from the upstream maintainer. I'll take your comments into consideration
> for the next revision of the package.
>
> Thank you for your comments.
>

I forgot to mention that the package comes with the file Maxwell.pdf 
with details about the rationale behind the implemented algorithm.

-- 
Pedro I. Sanchez




Changed Bug title to 'ITP: maxwell -- entropy-gathering daemon' from 'RFP: maxwell -- entropy-gathering daemon' Request was from Bart Martens <bartm@debian.org> to control@bugs.debian.org. (Thu, 19 Jul 2012 05:45:03 GMT) Full text and rfc822 format available.

Owner recorded as "Pedro I. Sanchez" <psanchez@fosstel.com>. Request was from Bart Martens <bartm@debian.org> to control@bugs.debian.org. (Thu, 19 Jul 2012 05:45:03 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 662736: 682035 Request was from Bart Martens <bartm@quantz.debian.org> to control@bugs.debian.org. (Thu, 19 Jul 2012 06:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>:
Bug#662736; Package wnpp. (Thu, 19 Jul 2012 17:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antti-Juhani Kaijanaho <antti-juhani@kaijanaho.fi>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>. (Thu, 19 Jul 2012 17:00:03 GMT) Full text and rfc822 format available.

Message #49 received at 662736@bugs.debian.org (full text, mbox):

From: Antti-Juhani Kaijanaho <antti-juhani@kaijanaho.fi>
To: Martin Eberhard Schauer <Martin.E.Schauer@gmx.de>
Cc: 662736@bugs.debian.org, debian-mentors@lists.debian.org, "Pedro I. Sanchez" <pirivan.sanchez@gmail.com>
Subject: Re: Bug#662736: ITP: maxwell -- entropy-gathering daemon
Date: Thu, 19 Jul 2012 19:50:05 +0300
On Wed, Jul 18, 2012 at 10:43:23PM +0200, Martin Eberhard Schauer wrote:
> 
> >Package: wnpp
> >Followup-For: Bug #662736
> >Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
> >
> >Package: wnpp
> >Followup-For: Bug #662736
> >Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
> >
> >Package: wnpp
> >Followup-For: Bug #662736
> >Owner: "Pedro I. Sanchez"<psanchez@fosstel.com>
> >
> >Package: wnpp
> >Severity: wishlist
> Hi Pedro,
> 
> if I understand things right, you missed a CC to
> 
> |  control@bugs.debian.org
> 
> and a separate line
> 
>    thanks
> 
> to make your control commands become effictive.

There are no control commands in that message, and thus CC to
control@bugs.debian.org would be inappropriate.  Adding a thanks line would be
unnecessary, for the same reason.

Control commands have the form 
  command bugnumber parameters
all in one line for a single command.  The above lines are pseudo-headers
(unnecessarily repetitive ones) and should not be sent to control@bugs.

By the way, my custom is to never CC control@bugs, instead I tend to BCC it.
That way, any reply-to-all to such a message will not get accidentally copied
to control@.

-- 
Antti-Juhani Kaijanaho, Jyväskylä, Finland
http://antti-juhani.kaijanaho.fi/newblog/
http://www.flickr.com/photos/antti-juhani/




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>:
Bug#662736; Package wnpp. (Fri, 20 Jul 2012 14:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@hmh.eng.br>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>. (Fri, 20 Jul 2012 14:15:03 GMT) Full text and rfc822 format available.

Message #54 received at 662736@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
To: 662736@bugs.debian.org
Subject: Some concerns about adding maxwell to Debian
Date: Fri, 20 Jul 2012 11:11:48 -0300
I am somewhat worried about this package being added to Debian.

The kernel itself is responsible for collecting randomness from interrupts
when it is deemed safe enough, this is NOT a task well suited to userspace.
Userspace should gather entropy from external sources (like audio noise, USB
HRNGs, or an entropy data feed over the network).

Timer interrupts are the most dangerous of them all for entropy gathering:
there are strong correlations between the userspace process scheduler and
timer interrupts and the kernel timers/clocks, the NOHZ tickless mode
interferes with it, and any hypervisor/VM environment will interfere a lot
with timekeeping as well.  Both light loads and heavy loads may cause timer
jitter to have a lot less noise than expected.

One would need to have statistically significant proof that the operations
implemented by the maxwell daemon are indeed enough to provide the expected
entropy on a variety of scenarios that are relevant to the timers and to the
process scheduler, *using the Debian kernel targetted for release*, on every
arch it is going to be available for.  This does not seem feasible.

Also, the BIAS on anything related to interfering with the system RNG must
be on security, and not on "small fast program".

I don't think we should accept this package in Debian as-is.

I recommend it to be restricted to archs where it was tested, which is
x86-64 right now (more can be added if either the maintainer or upstream
does the required testing using diehard).  I also recommend that at least
the high syscall load be addressed upstream first (batch several seconds
worth of entropy, and feed it in just one ioctl syscall to the kernel).  It
would also be advisable to ship it configured by default in Debian to credit
at most 50%-70% of entropy, so as to account for unexpected behaviour on the
process cheduler and system timers.

I'd also recommend that it be tested first in a VM environment, using
maxwell -t inside a VM to generate the required (gigabytes) of data to a
file (lightly-loaded VM), and then to run diehard on the result.  The test
with a heavy-loaded VM can be done by just running maxwell and diehard in a
pipe configuration inside the same VM.

Initial entropy at very early boot, before Debian seeds the kernel, is a
task that can only be done properly by the kernel itself, and is being
addressed there at this time (patches have already been proposed).  The
proper fix for better initial entropy at boot is to backport these changes
to the Debian kernel.  I do not consider maxwell relevant for this scenario.

For other entropy gathering needs, there are safer choices.  This should be
reflected on the package description.

Another concern is that maxwell looks like an academic work from upstream,
it would be best to talk to upstream to check their medium and long-term
plans for maintaining maxwell, etc. before we commit to shipping maxwell in
Debian stable.  As long as it is not shipped in Wheezy, this is not an
immediate or very pressing concern, as it is relatively harmless to remove
packages that are present only on testing and unstable, and never made it to
a stable Debian release.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662736; Package wnpp. (Sun, 22 Jul 2012 16:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Pedro I. Sanchez" <psanchez@fosstel.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Sun, 22 Jul 2012 16:06:03 GMT) Full text and rfc822 format available.

Message #59 received at 662736@bugs.debian.org (full text, mbox):

From: "Pedro I. Sanchez" <psanchez@fosstel.com>
To: Henrique de Moraes Holschuh <hmh@hmh.eng.br>, 662736@bugs.debian.org
Cc: sandyinchina@gmail.com
Subject: Re: Bug#662736: Some concerns about adding maxwell to Debian
Date: Sun, 22 Jul 2012 11:27:01 -0400
On 12-07-20 10:11 AM, Henrique de Moraes Holschuh wrote:
> I am somewhat worried about this package being added to Debian.
>
> The kernel itself is responsible for collecting randomness from interrupts
> when it is deemed safe enough, this is NOT a task well suited to userspace.
> Userspace should gather entropy from external sources (like audio noise, USB
> HRNGs, or an entropy data feed over the network).
>
> Timer interrupts are the most dangerous of them all for entropy gathering:
> there are strong correlations between the userspace process scheduler and
> timer interrupts and the kernel timers/clocks, the NOHZ tickless mode
> interferes with it, and any hypervisor/VM environment will interfere a lot
> with timekeeping as well.  Both light loads and heavy loads may cause timer
> jitter to have a lot less noise than expected.
>
> One would need to have statistically significant proof that the operations
> implemented by the maxwell daemon are indeed enough to provide the expected
> entropy on a variety of scenarios that are relevant to the timers and to the
> process scheduler, *using the Debian kernel targetted for release*, on every
> arch it is going to be available for.  This does not seem feasible.
>
> Also, the BIAS on anything related to interfering with the system RNG must
> be on security, and not on "small fast program".
>
> I don't think we should accept this package in Debian as-is.
>

Labeling the algorithm as "good" or "bad" is going to be context 
sensitive. Small embedded systems with no network activity, such us 
monitors or autonomous process controllers, might benefit from a 
timer-based entropy generator for example. In any case, I don't believe 
that it is up to the Debian distribution to determine in advance whether 
a package is good or bad for a system; as with any other package, this 
decision ultimately belongs to the system designer or administrator who 
knows what he wants to achieve. We have to provide the package in the 
first place, ensure that it is run with safe default values, and that it 
is properly documented so that some one else can make a final educated 
decision on the program's fit for a particular application.

> I recommend it to be restricted to archs where it was tested, which is
> x86-64 right now (more can be added if either the maintainer or upstream
> does the required testing using diehard).  I also recommend that at least
> the high syscall load be addressed upstream first (batch several seconds
> worth of entropy, and feed it in just one ioctl syscall to the kernel).  It
> would also be advisable to ship it configured by default in Debian to credit
> at most 50%-70% of entropy, so as to account for unexpected behaviour on the
> process cheduler and system timers.
>

I do agree in that if Maxwell is to be introduced it has to be done on 
an arch by arch basis as the program testing plan goes. At this moment 
it has only been tested on the x86-64. As a potential maintainer for 
this program I can say that I have the capability to also test it on x86 
and soon in ARM archs.

Your recommendations are worth noticing and will certainly be considered 
as the maintenance and packaging exercise move along. I just did a first 
round of packaging to get things started but there is certainly much 
more work yet to be done.

> I'd also recommend that it be tested first in a VM environment, using
> maxwell -t inside a VM to generate the required (gigabytes) of data to a
> file (lightly-loaded VM), and then to run diehard on the result.  The test
> with a heavy-loaded VM can be done by just running maxwell and diehard in a
> pipe configuration inside the same VM.
>
> Initial entropy at very early boot, before Debian seeds the kernel, is a
> task that can only be done properly by the kernel itself, and is being
> addressed there at this time (patches have already been proposed).  The
> proper fix for better initial entropy at boot is to backport these changes
> to the Debian kernel.  I do not consider maxwell relevant for this scenario.
>
> For other entropy gathering needs, there are safer choices.  This should be
> reflected on the package description.
>

Agree, as I mentioned before, work on documentation is needed to ensure 
that we provide enough information for the system designer/administrator 
to make informed decision about how to use or not to use maxwell.

> Another concern is that maxwell looks like an academic work from upstream,
> it would be best to talk to upstream to check their medium and long-term
> plans for maintaining maxwell, etc. before we commit to shipping maxwell in
> Debian stable.  As long as it is not shipped in Wheezy, this is not an
> immediate or very pressing concern, as it is relatively harmless to remove
> packages that are present only on testing and unstable, and never made it to
> a stable Debian release.
>

I do share this concern as well. I invite the upstream maintainer to let 
us know about his plans and what we can expect as support from him in 
the short and long terms. I added him to the CC of this e-mail just in 
case he is not monitoring the #662736.

Thank you for your comments and interest in this package.

-- 
Pedro I. Sanchez



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>:
Bug#662736; Package wnpp. (Mon, 23 Jul 2012 13:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sandy Harris <sandyinchina@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>. (Mon, 23 Jul 2012 13:21:05 GMT) Full text and rfc822 format available.

Message #64 received at 662736@bugs.debian.org (full text, mbox):

From: Sandy Harris <sandyinchina@gmail.com>
To: "Pedro I. Sanchez" <psanchez@fosstel.com>
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>, 662736@bugs.debian.org
Subject: Re: Bug#662736: Some concerns about adding maxwell to Debian
Date: Mon, 23 Jul 2012 21:19:31 +0800
I am the author of Maxwell. Replies to some comments
below.

Pedro I. Sanchez <psanchez@fosstel.com> wrote:

> On 12-07-20 10:11 AM, Henrique de Moraes Holschuh wrote:
>>
>> I am somewhat worried about this package being added to Debian.
>>
>> The kernel itself is responsible for collecting randomness from interrupts
>> when it is deemed safe enough, this is NOT a task well suited to
>> userspace.
>> Userspace should gather entropy from external sources (like audio noise,
>> USB
>> HRNGs, or an entropy data feed over the network).

Valid concerns. Certainly where a hardware RNG or audio device
is available, that should be used in preference to Maxwell. In
particular, I would say supporting Turbid (discussed in the
Maxwell paper and, last I looked, also on the Debian list of
requested programs) is more important than Maxwell.

> Labeling the algorithm as "good" or "bad" is going to be context sensitive.
> Small embedded systems with no network activity, such us monitors or
> autonomous process controllers, might benefit from a timer-based entropy
> generator for example.

The target I was thinking of in designing the program was Freedom Box.

> In any case, I don't believe that it is up to the
> Debian distribution to determine in advance whether a package is good or bad
> for a system; as with any other package, this decision ultimately belongs to
> the system designer or administrator who knows what he wants to achieve. We
> have to provide the package in the first place, ensure that it is run with
> safe default values, and that it is properly documented so that some one
> else can make a final educated decision on the program's fit for a
> particular application.


>> I recommend it to be restricted to archs where it was tested, which is
>> x86-64 right now ...

Yes

>> It would also be advisable to ship it configured by default in
>> Debian to credit at most 50%-70% of entropy, so as to account
>> for unexpected behaviour ...

Arguably, that is built in. I cite research showing about one
bit of entropy per sample and run tests that show somewhat
more. The program's default is 48 samples per 32-bit output.
The user interface lets the admin increase the number of
samples per output, but not lower it.

The 48 above is 16 times a #define compile-time constant.
If a particular environment needs more, changing that
constant is easy.

>> I'd also recommend that it be tested first in a VM environment, ...

Good idea.

>> Initial entropy at very early boot, before Debian seeds the kernel, is a
>> task that can only be done properly by the kernel itself, and is being
>> addressed there at this time (patches have already been proposed).  The
>> proper fix for better initial entropy at boot is to backport these changes
>> to the Debian kernel.  I do not consider maxwell relevant for this
>> scenario.

Where can I get info on those patches? I am on the linux-crypto list
and have not noticed them there.

>> For other entropy gathering needs, there are safer choices.  This should
>> be reflected on the package description.
>
> Agree, as I mentioned before, work on documentation is needed to ensure that
> we provide enough information for the system designer/administrator to make
> informed decision about how to use or not to use maxwell.

I thought I'd dealt with that in the man page & PDF.

>> Another concern is that maxwell looks like an academic work from upstream,
>> it would be best to talk to upstream ...
>
> I do share this concern as well. I invite the upstream maintainer to let us
> know about his plans and what we can expect as support from him in the short
> and long terms.

I've been using various Unix or Unix-like systems for several decades and
working on crypto & security for quite a while too. I hope to be around
and active in those areas indefinitely. Subject to assorted constraints,
I'm willing to assist in any way you need.

That said, I think of Maxwell as a finished project, and have no plans
for a version 2.0 or other changes.



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>:
Bug#662736; Package wnpp. (Mon, 23 Jul 2012 18:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>. (Mon, 23 Jul 2012 18:39:03 GMT) Full text and rfc822 format available.

Message #69 received at 662736@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Sandy Harris <sandyinchina@gmail.com>
Cc: "Pedro I. Sanchez" <psanchez@fosstel.com>, 662736@bugs.debian.org
Subject: Re: Bug#662736: Some concerns about adding maxwell to Debian
Date: Mon, 23 Jul 2012 15:38:12 -0300
On Mon, 23 Jul 2012, Sandy Harris wrote:
> >> Initial entropy at very early boot, before Debian seeds the kernel, is a
> >> task that can only be done properly by the kernel itself, and is being
> >> addressed there at this time (patches have already been proposed).  The
> >> proper fix for better initial entropy at boot is to backport these changes
> >> to the Debian kernel.  I do not consider maxwell relevant for this
> >> scenario.
> 
> Where can I get info on those patches? I am on the linux-crypto list
> and have not noticed them there.

Look for Ted Tso's /dev/random work in LKML itself:
http://lkml.kernel.org/r/1341511933-11169-1-git-send-email-tytso@mit.edu

> >> For other entropy gathering needs, there are safer choices.  This should
> >> be reflected on the package description.
> >
> > Agree, as I mentioned before, work on documentation is needed to ensure that
> > we provide enough information for the system designer/administrator to make
> > informed decision about how to use or not to use maxwell.
> 
> I thought I'd dealt with that in the man page & PDF.

The typical distro user can barely be bothered enough to read package
descriptions...  So a single sentence summarizing what you wrote in the
paper about when maxwell should (not) be used is really required.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>:
Bug#662736; Package wnpp. (Mon, 23 Jul 2012 23:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sandy Harris <sandyinchina@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>. (Mon, 23 Jul 2012 23:15:07 GMT) Full text and rfc822 format available.

Message #74 received at 662736@bugs.debian.org (full text, mbox):

From: Sandy Harris <sandyinchina@gmail.com>
To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: "Pedro I. Sanchez" <psanchez@fosstel.com>, 662736@bugs.debian.org
Subject: Re: Bug#662736: Some concerns about adding maxwell to Debian
Date: Tue, 24 Jul 2012 07:10:39 +0800
On Tue, Jul 24, 2012 at 2:38 AM, Henrique de Moraes Holschuh
<hmh@debian.org> wrote:

> On Mon, 23 Jul 2012, Sandy Harris wrote:
>> >> Initial entropy at very early boot, ....
>>
>> Where can I get info on those patches? I am on the linux-crypto list
>> and have not noticed them there.
>
> Look for Ted Tso's /dev/random work in LKML itself:
> http://lkml.kernel.org/r/1341511933-11169-1-git-send-email-tytso@mit.edu

Thanks.

>> >> For other entropy gathering needs, there are safer choices.  This should
>> >> be reflected on the package description.
>> >
>> > Agree, as I mentioned before, work on documentation is needed to ensure that
>> > we provide enough information for the system designer/administrator to make
>> > informed decision about how to use or not to use maxwell.
>>
>> I thought I'd dealt with that in the man page & PDF.
>
> The typical distro user can barely be bothered enough to read package
> descriptions...  So a single sentence summarizing what you wrote in the
> paper about when maxwell should (not) be used is really required.

Other methods -- a hardware RNG, turbid(1) or Havege(1) -- are generally
preferable to maxwell(8) if they can be used; the main applications of
maxwell(8) are on systems where those are impractical or as a second
generator as a failsafe measure.



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>:
Bug#662736; Package wnpp. (Sat, 17 Aug 2013 07:14:52 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Pedro I. Sanchez" <psanchez@fosstel.com>. (Sat, 17 Aug 2013 07:14:52 GMT) Full text and rfc822 format available.

Message #79 received at 662736@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 662736@bugs.debian.org
Cc: control@bugs.debian.org
Subject: maxwell: changing back from ITP to RFP
Date: Sat, 17 Aug 2013 09:06:09 +0200
retitle 662736 RFP: maxwell -- entropy-gathering daemon
noowner 662736
tag 662736 - pending
thanks

Hi,

A long time ago, you expressed interest in packaging maxwell. Unfortunately,
it seems that it did not happen. In Debian, we try not to keep ITP bugs open
for a too long time, as it might cause other prospective maintainers to
refrain from packaging the software.

This is an automatic email to change the status of maxwell back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 12 months.

If you are still interested in packaging maxwell, please send a mail to
<control@bugs.debian.org> with:

 retitle 662736 ITP: maxwell -- entropy-gathering daemon
 owner 662736 !
 thanks

It is also a good idea to document your progress on this ITP from time to
time, by mailing <662736@bugs.debian.org>.  If you need guidance on how to
package this software, please reply to this email, and/or contact the
debian-mentors@lists.debian.org mailing list.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>



Changed Bug title to 'RFP: maxwell -- entropy-gathering daemon' from 'ITP: maxwell -- entropy-gathering daemon' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 17 Aug 2013 07:22:22 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by "Pedro I. Sanchez" <psanchez@fosstel.com>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 17 Aug 2013 07:22:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:46:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.