Debian Bug report logs - #841208
monkeysphere: FTBFS (not enough entropy to generate keys)

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>

To: Debian BTS <submit@bugs.debian.org>

Subject: monkeysphere: FTBFS (not enough entropy to generate keys)

Date: Tue, 18 Oct 2016 13:57:34 +0000

Package: src:monkeysphere
Version: 0.40-2
Severity: serious

Dear maintainer:

I tried to build this package in stretch with "dpkg-buildpackage -A"
(which is what the "Arch: all" autobuilder would do to build it)
but it failed:

--------------------------------------------------------------------------------
[...]
 debian/rules build-indep
dh build-indep
   dh_testdir -i
   dh_update_autotools_config -i
   dh_auto_configure -i
   dh_auto_build -i
	make -j1
make[1]: Entering directory '/<<PKGBUILDDIR>>'
gcc -o src/agent-transfer/agent-transfer -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security   --pedantic -Wall -Werror -std=c99 -Wl,-z,relro src/agent-transfer/main.c -lassuan -L/usr/lib/x86_64-linux-gnu -lgpg-error -lgcrypt
mkdir -p replaced/src/
sed < src/monkeysphere > replaced/src/monkeysphere \
-e 's:__SYSSHAREDIR_PREFIX__:/usr:' \
-e 's:__SYSCONFDIR_PREFIX__::' \

[... snipped ...]

ms: 6FA88BBE2950EC87973066B074D22D5F837F9056:6:
ms: checking gpg_sphere owner trust set properly...
ms: checking trust model for authentication ...
ms: sphere trust model: 1:3:1
ms: reading key from stdin...
ms: checking keys in file...
ms: loading key into core keyring...
ms: executing core ltsign script...
ms: exporting core local sigs to sphere...
ms: updating sphere trustdb...
ms: Identity certifier added.

##################################################
### list certifiers...
ms: checking authentication directory structure...
ms: writing core gpg.conf...
ms: writing sphere gpg.conf...
ms: fixing sphere gnupg home ownership...
ms: determining core key fingerprint...
ms: core fingerprint: 6FA88BBE2950EC87973066B074D22D5F837F9056
ms: Monkeysphere authentication trust core already exists.
ms: exporting core pub key to sphere keyring...
ms: setting ultimate owner trust on core key in gpg_sphere...
ms: # List of assigned trustvalues, created Tue Oct 18 11:46:39 2016 CEST
ms: # (Use "gpg --import-ownertrust" to restore them)
ms: 6FA88BBE2950EC87973066B074D22D5F837F9056:6:
ms: checking gpg_sphere owner trust set properly...
ms: checking trust model for authentication ...
ms: sphere trust model: 1:3:1
ms: finding trusted keys...
ms: determining core key fingerprint...
4275279C9512E14BDD14098A36FF78B37005D3BE:
 :Monkeysphere Test Suite Fake Administrative User (DO NOT USE!!!) <fakeadmin@example.net>:1:120:

##################################################
### generating key for testuser...
ms: creating password fifo...
ms: Prompting for passphrase
ms: Launching "/<<PKGBUILDDIR>>/tests/tmp/ms.IOG/testuser/.ssh/askpass"
ms: (with prompt "Please enter your passphrase for E00B5EEEBA79B482: ")
ms: Generating subkey.  This may take a long time...

gpg: signal Terminated caught ... exiting
FAILED!
### removing temp dir...
make[1]: *** wait: No child processes.  Stop.
make[1]: *** Waiting for unfinished jobs....
make[1]: *** wait: No child processes.  Stop.
make: *** wait: No child processes.  Stop.
make: *** Waiting for unfinished jobs....
make: *** wait: No child processes.  Stop.
E: Build killed with signal TERM after 60 minutes of inactivity
--------------------------------------------------------------------------------

The relevant part of the build log is included above.

This builds ok in buildd.debian.org, but, IMO, this is not enough,
because this is like having a missing "build-depends: entropy".

Sure, official buildds usually have enough entropy, but that's not
something that we can really assume that will always happen.


Please take a look at this bug in mini-buildd which is very similar:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834683

Maybe the solution that was adopted there could be used here as well.

Thanks.

Message #12 received at 841208-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 841208-close@bugs.debian.org

Subject: Bug#841208: fixed in monkeysphere 0.41-1

Date: Sat, 03 Dec 2016 04:48:35 +0000

Source: monkeysphere
Source-Version: 0.41-1

We believe that the bug you reported is fixed in the latest version of
monkeysphere, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841208@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated monkeysphere package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 02 Dec 2016 22:58:25 -0500
Source: monkeysphere
Binary: monkeysphere agent-transfer
Architecture: source
Version: 0.41-1
Distribution: unstable
Urgency: medium
Maintainer: Jameson Rollins <jrollins@finestructure.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 agent-transfer - copy a secret key from GnuPG's gpg-agent to OpenSSH's ssh-agent
 monkeysphere - leverage the OpenPGP web of trust for SSH and TLS authentication
Closes: 595947 841208 842823 846554
Changes:
 monkeysphere (0.41-1) unstable; urgency=medium
 .
   * new upstream release
     - pem2openpgp now includes issuer fingerprint subpacket
       in hashed self-sig, more compatible with GnuPG 2.1.16
       (Closes: #846554)
     - avoid blocking for entropy during test suite
       (Closes: #841208)
     - ensure that attempts to fetch primary key fingerprint only fetch
       primary key fingerprint even if subkey fprs are emitted
       (Closes: #846554)
   * convert to debhelper 10
   * wrap-and-sort -ast
   * add netcat-openbsd to Recommends (Closes: #595947)
   * switch Recommends: from cron to cron-daemon (Closes: #842823)
   * drop patches already applied upstream
   * moved debian packaging to collab-maint for better visibility
   * added debian/watch to make lintian happy
   * converted debian/NEWS to not use asterisk-bulleted style
   * use all hardening options during C build
Checksums-Sha1:
 b5c367b3c3c60676476d411689b395c8643cd584 2324 monkeysphere_0.41-1.dsc
 8d4113e8647e2bc01f889664476ed644bee7ce0e 109040 monkeysphere_0.41.orig.tar.gz
 37ed18b41558ceac39a875cc931276b33f9436b1 6032 monkeysphere_0.41-1.debian.tar.xz
Checksums-Sha256:
 ea06e673a584584616846a65c61ad0be23935559b2db69869068a281d8f9a547 2324 monkeysphere_0.41-1.dsc
 911a2f1622ddb81151b0f41cf569ccf2154d10a09b2f446dbe98fac7279fe74b 109040 monkeysphere_0.41.orig.tar.gz
 a2d0e606c693bda38548ef22601d33e2f1676da07381e82fbc9c0d437ffaf562 6032 monkeysphere_0.41-1.debian.tar.xz
Files:
 a7beb80cbd49cf316eb2e0ad1a5e7f8e 2324 net extra monkeysphere_0.41-1.dsc
 77a971850d6d35d6e1135add9c4fce5d 109040 net extra monkeysphere_0.41.orig.tar.gz
 21add23458fcb728fb9acee2633f79d4 6032 net extra monkeysphere_0.41-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEE7bLnT1b88rZyl7c1JOz/Wv9oNwoFAlhCTBIWHGRrZ0BmaWZ0
aGhvcnNlbWFuLm5ldAAKCRAk7P9a/2g3CklzD/44fQQnXxj59pQyQdOOxbsNgqgh
RwxMtrFf+QiuQ5F19+rcDoSIQHBiUoBMHP37/lSDgF8FvNHYLrF0HgR5pdg2RYA1
bQ37aalrM9mVjStclQd6PE6CqEd04LUCuDO/w2TX+iX1O+5JTYf7w0ic2I4VbzcD
+63EjVWiw2wAf3K02LDe6jaeRpOeE9/7sQ/s4P8FqiHM9PhDuJpoYvSqMpmSjgTs
UPxW5Vs9Ms053HaewrqpWPpHWOPWNfP7U7vcL1u+9KZhOxU+DouuQ6FRwncKRW3k
cp2j+bIl7jyUm0oGGVz2cT49XkgBgkAZzpIxDlwyH/B6kxk0ihl941ENKysAnqTr
CB/3G+uxDZmCmpPTauaIMFG/yHtW7OV6FDN6PwixcnVq1PFIJoBWACRKQc0WkUeL
qHtt8vrHWl+ZzPdJaci/HYUOo+XFaKR3o/pox2jfEbluen/qegtdOi5+MsLV4oQg
9KQ7vMY7cNmqKn9C6hkODVvyHVWq6vv4pETMkXIewGs78YdOKw9nPSK2q1jkbKlM
7XLWfXjZ/JurlpOS3ce/smSmKWhI97A8wtfW7fcd4s/pD3WzoIU/Q066txKAfBxR
MwUw0nfji5r+txiKyEI66UdWhvWTLDNZ7uuGEScQquO14mmatQFNx2t2SjPP/PPs
kMAS2g9yKU1W9Ntujg==
=sXgQ
-----END PGP SIGNATURE-----

Message #17 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Mon, 12 Dec 2016 18:17:37 +0100 (CET)

[Message part 1 (text/plain, inline)]

found 841208 0.41-1
thanks

Hello. Sorry for the reopening but this issue is still happening in
this version. I attach two different build logs.

Thanks.

[monkeysphere_0.41-1_amd64-20161211T041458Z.gz (application/gzip, attachment)]

[monkeysphere_0.41-1_amd64-20161211T043600Z.gz (application/gzip, attachment)]

Message #24 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Santiago Vila <sanvila@unex.es>, 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Tue, 13 Dec 2016 01:16:24 +0100

[Message part 1 (text/plain, inline)]

Hi Santiago--

thanks for the reportbacks-

On Mon 2016-12-12 18:17:37 +0100, Santiago Vila wrote:
> Hello. Sorry for the reopening but this issue is still happening in
> this version. I attach two different build logs.

thanks for the notes.  the issue is now entropy starvation during
"monkeysphere gen-subkey" in the test suite.  I'm not sure what the
right thing to do is here, other than either:

 a) adding debug-quick-random to the gpg.conf file in the test suite, or

 b) adding a build-dependency on haveged

It seems to me that there's a general upstream bug with GnuPG consuming
more entropy than it nees to, but i don't think that's going to be fixed
by upstream before stretch.

I'm likely to try proposal (a) as 0.41-2 unless i hear other
suggestions.

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: Santiago Vila <sanvila@unex.es>, 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Fri, 23 Dec 2016 22:18:12 +0100

[Daniel Kahn Gillmor]
> I'm likely to try proposal (a) as 0.41-2 unless i hear other
> suggestions.

In Debian Edu we ran into a similar problem within debian-installer, when
setting up Kerberos.  The installation would hang because the Linux kernel
collect entropy from so few sources and almost none of the sources have
activity during installation.  We solved it by running a shell script loop
in the background checking the entropy level, and flushing the disk cache
and doing find / to generate disk IO when entropy run low.

Perhaps an idea for the test code?

Check out
<URL: https://anonscm.debian.org/git/debian-edu/debian-edu-config.git/tree/share/debian-edu-config/d-i/finish-install >
for the Debian Edu implementation.

-- 
Happy hacking
Petter Reinholdtsen

Message #34 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Santiago Vila <sanvila@unex.es>, 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Wed, 11 Jan 2017 14:06:21 -0500

[Message part 1 (text/plain, inline)]

Control: severity 841208 important

On Mon 2016-12-12 19:16:24 -0500, Daniel Kahn Gillmor wrote:

> thanks for the notes.  the issue is now entropy starvation during
> "monkeysphere gen-subkey" in the test suite.  I'm not sure what the
> right thing to do is here, other than either:
>
>  a) adding debug-quick-random to the gpg.conf file in the test suite, or

I looked into this, and i think this is actually already being done :/

in tests/common, we define get_gpg_prng_arg(), and in tests/basic, we
apply it to all the gpg.conf files that should be relevant.

>  b) adding a build-dependency on haveged

this seems weirdly roundabout.  we don't actually build-depend on
haveged, we build-depend on haveged actually running on the platform in
question and pushing its "entropy" into the kernel's buffers.

Or, we depend on a kernel that seeds itself once for entropy and remains
in a non-blocking state because of a good internal CSPRNG.

Or, we depend on having an entropykey attached.

Or …

Can we just say that the test suite needs entropy somehow?

> It seems to me that there's a general upstream bug with GnuPG consuming
> more entropy than it nees to, but i don't think that's going to be fixed
> by upstream before stretch.

This is sadly still true :/

I'm reducing the severity of this bug report because (a) we understand
the issue, and (b) it's not actually an issue on the debian buildd
infrastructure (the arch-all builder did not hang in the way that
Santiago reported).

Please also see https://bugs.debian.org/850094 for more general
discussion of similar situations.

The issue is still unresolved, but i'm not sure how to fix it, and i
don't think that it should make the package be removed from stretch, so
i don't think this issue is RC.

I hope this severity change is understandable.

Regards,

           --dkg

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Petter Reinholdtsen <pere@hungry.com>

Cc: Santiago Vila <sanvila@unex.es>, 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Wed, 11 Jan 2017 13:58:37 -0500

[Message part 1 (text/plain, inline)]

On Fri 2016-12-23 16:18:12 -0500, Petter Reinholdtsen wrote:
> [Daniel Kahn Gillmor]
>> I'm likely to try proposal (a) as 0.41-2 unless i hear other
>> suggestions.
>
> In Debian Edu we ran into a similar problem within debian-installer, when
> setting up Kerberos.  The installation would hang because the Linux kernel
> collect entropy from so few sources and almost none of the sources have
> activity during installation.  We solved it by running a shell script loop
> in the background checking the entropy level, and flushing the disk cache
> and doing find / to generate disk IO when entropy run low.
>
> Perhaps an idea for the test code?

this all sounds like a pretty high-energy set of workarounds.  What we'd
really like is to say declaratively that the test suite needs system
entropy :/  can we solve this problem centrally somehow?

     --dkg

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Wed, 11 Jan 2017 20:36:16 +0100

On Wed, Jan 11, 2017 at 02:06:21PM -0500, Daniel Kahn Gillmor wrote:

> (b) it's not actually an issue on the debian buildd infrastructure

While I understand the downgrade of this bug in particular, I'm
worried about this rationale being used over and over again, when it's
clearly flawed (and not just simply flawed, but seriously flawed).

We don't wait for bugs to happen in buildd.debian.org. If we did, the
hundreds of FTBFS bug reported by Lucas Nussbaum, Chris Lamb or even
myself would have to be downgraded, as they only reference non-official
build logs and not an official build log from buildd.debian.org.

I'm also worried that buildd.debian.org sets the *only* bar for what we
consider serious, when it's clearly not.

Some examples:

Packages having a missing "build-depends: gnupg", or, in general, any
kind of missing build-depends) have a serious bug, even if gnupg or
the missing build-dependency is still installed by default on
buildd.debian.org.

Packages which fail to build on single-CPU systems have a serious bug,
even if all our autobuilders have more than one CPU.

Packages having tests which fail on "slow" computers have a serious bug,
even if all our autobuilders are "fast".

Packages having tests which fail on very fast computers have a serious bug,
even if all our autobuilders are just "fast".

And so on.

We can't just rely on specific and accidental features of
buildd.debian.org to be present in any autobuilder, we can only rely
on those who are expressed in build-depends.

We don't have a Build-CPU-MHz: control field to ask for a fast
autobuilder, but we should probably never have such control field.

We don't have a Build-CPU: control field to ask for a multi-core
autobuilder, but we should probably never have such control field.

Etc.

[ RAM size is a very different thing. Packages should use what
  they need, and autobuilders are always supposed to have "enough" ]

> Please also see https://bugs.debian.org/850094 for more general
> discussion of similar situations.

So let's use my bug above as a rationale and not the "it does not fail
on buildd.debian.org" one, please. Such rationale does not really match
current practice.

Sorry for the rant, I was thinking about writing these things some day
in -devel as a way to reply to all the people who have downgraded bugs
following such rationale which is not written in policy anywhere,
so this email has accidantelly become a draft of such email.

Thanks.

Message #51 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Santiago Vila <sanvila@unex.es>

Cc: 841208@bugs.debian.org

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Wed, 11 Jan 2017 18:06:44 -0500

[Message part 1 (text/plain, inline)]

Hi Santiago--

On Wed 2017-01-11 14:36:16 -0500, Santiago Vila wrote:
> On Wed, Jan 11, 2017 at 02:06:21PM -0500, Daniel Kahn Gillmor wrote:
>
>> (b) it's not actually an issue on the debian buildd infrastructure
>
> While I understand the downgrade of this bug in particular, I'm
> worried about this rationale being used over and over again, when it's
> clearly flawed (and not just simply flawed, but seriously flawed).

fwiw, i agree with you fully here, which is why i didn't close the bug,
and kept the severity as high as "important".  I didn't mean to imply
that the bug was not valid because it builds on the buildd's -- just
that we have a workaround for now because it builds on the buildd's

> We can't just rely on specific and accidental features of
> buildd.debian.org to be present in any autobuilder, we can only rely
> on those who are expressed in build-depends.
>
> We don't have a Build-CPU-MHz: control field to ask for a fast
> autobuilder, but we should probably never have such control field.
>
> We don't have a Build-CPU: control field to ask for a multi-core
> autobuilder, but we should probably never have such control field.

These are qualitatively different from "a builder which has system
entropy available in order to run the test suite".

If we believe that no test suites or build processes should need system
entropy at all (not implausible in these days of reproducible builds and
hopefully-deterministic test suites), another approach would be to
symlink /dev/random to /dev/urandom on all buildd's, and then the
builders just get what they get, rather than starving the system of
entropy.

thanks for continuing to push on this stuff.  If you have any better
suggestions for resolution, i'd be happy to hear them.

I probably need to open an upstream bug with gnupg about subkey
generation when there is limited system entropy too, but i tend to
actually have system entropy on my own hardware and haven't had the time
to set up a deliberately-starved machine for the test process.

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 841208@bugs.debian.org

Cc: Santiago Vila <sanvila@unex.es>

Subject: Re: Bug#841208: fixed in monkeysphere 0.41-1

Date: Wed, 26 Sep 2018 22:31:16 -0400

[Message part 1 (text/plain, inline)]

On Wed, Jan 11, 2017 at 06:06:44PM -0500, Daniel Kahn Gillmor wrote:
> If we believe that no test suites or build processes should need system
> entropy at all (not implausible in these days of reproducible builds and
> hopefully-deterministic test suites), another approach would be to
> symlink /dev/random to /dev/urandom on all buildd's, and then the
> builders just get what they get, rather than starving the system of
> entropy.
> 
> thanks for continuing to push on this stuff.  If you have any better
> suggestions for resolution, i'd be happy to hear them.
> 
> I probably need to open an upstream bug with gnupg about subkey
> generation when there is limited system entropy too, but i tend to
> actually have system entropy on my own hardware and haven't had the time
> to set up a deliberately-starved machine for the test process.

I've been able to (more or less) reproduce this bug while working on a
bunch of other test suite failures here. Just run the test suite on a
loop and you'll exhaust any entropy pool fairly quickly. (Of course, the
test suite in Debian fails way before we reach that point right now, but
on git that's fixed so we actually hit key generation now. :)

That said, I was able to workaround the issue by installing haveged
here. I know, it's not a good general solution to entropy starvation in
production, as it relies on CPU features which might be absent on
virtual machines, for example. It might just make sense, however, to add
it as a build-dep to fix the test suite.

A.

[signature.asc (application/pgp-signature, inline)]

Message #61 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Antoine Beaupre <anarcat@debian.org>, 841208@bugs.debian.org

Cc: Santiago Vila <sanvila@unex.es>

Subject: Re: [monkeysphere] Bug#841208: fixed in monkeysphere 0.41-1

Date: Thu, 24 Jan 2019 15:12:24 -0500

[Message part 1 (text/plain, inline)]

re: https://bugs.debian.org/841208 --

entropy exhaustion should no longer be an issue on debian buster, since
the gcrypt started using getrandom() as of gcrypt 1.8.4 (see upstream
https://dev.gnupg.org/T3894)

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #66 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 841208@bugs.debian.org, Antoine Beaupre <anarcat@debian.org>, 841208-done@bugs.debian.org

Cc: Santiago Vila <sanvila@unex.es>

Subject: Re: [monkeysphere] Bug#841208: fixed in monkeysphere 0.41-1

Date: Tue, 05 Mar 2019 12:37:52 -0500

[Message part 1 (text/plain, inline)]

On Thu 2019-01-24 15:12:24 -0500, Daniel Kahn Gillmor wrote:
> re: https://bugs.debian.org/841208 --
>
> entropy exhaustion should no longer be an issue on debian buster, since
> the gcrypt started using getrandom() as of gcrypt 1.8.4 (see upstream
> https://dev.gnupg.org/T3894)

I'm closing this bug report against monkeysphere because the underlying
problem was solved in libgcrypt.  There isn't really a version of
monkeysphere which fixes the problem, so i don't know how to mark the
version number of the fix.

Santiago (or anyone else following along) if you manage to reproduce the
problem with gcrypt 1.8.4 or later on a running kernel, please let me
know by re-opening this bug report!

Regards,

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #76 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 841208@bugs.debian.org, Antoine Beaupre <anarcat@debian.org>

Subject: Re: [monkeysphere] Bug#841208: fixed in monkeysphere 0.41-1

Date: Tue, 5 Mar 2019 18:48:11 +0100

Hi.

Incidentally, my current workaround for this and related issues
has been (for the last months) to bind-mount /dev/urandom on /dev/random
inside the chroot.

This has been working like a charm in most cases, the exception being
packages who insist on testing the hardware or the operating system
instead of the software which has just been built:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907191

I'll take a look at the kernel feature to see if it's better than this.

Thanks a lot.

Message #81 received at 841208@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Santiago Vila <sanvila@unex.es>

Cc: 841208@bugs.debian.org, Antoine Beaupre <anarcat@debian.org>

Subject: Re: [monkeysphere] Bug#841208: fixed in monkeysphere 0.41-1

Date: Tue, 05 Mar 2019 22:25:23 -0500

[Message part 1 (text/plain, inline)]

On Tue 2019-03-05 18:48:11 +0100, Santiago Vila wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907191

ugh :(

> I'll take a look at the kernel feature to see if it's better than this.

fwiw, the change isn't in the kernel -- it's in how userspace talks to
the kernel to get its entropy.  On the Linux kernel, gcrypt 1.8.4
(finally) decided to use the getrandom() syscall when available, rather
than talking to /dev/random, so that should fix everything that uses
libgcrypt for random numbers.  So even after the upgrade of gcrypt, it's
possible that other tools are accessing /dev/random via another method,
and they won't be fixed.

I think the right thing to do in those cases is actually to change those
tools to use getrandom() as well. If you've got a list of packages whose
builds fail when /dev/random is blocked, i'd love to see it -- do you
have a list of those bugs other than this one and #850269?  This
misbehavior is a good hint for where we need to look in the ecosystem to
fix things.  Even better if we could have a special kernel-provided
character device that (by analogy with /dev/zero, /dev/full, or
/dev/null) always blocks indefinitely, then we could just create it as
/dev/random and rebuild the archive to see which packages hang.

For anyone following along on this bug, I recommend reading random(7)
for an overview of the differences between sources of kernel-level
entropy.

        --dkg

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.