the "evil" of EGD (was Re: RFE: Portable OpenSSH)

[Dan Kaminsky]

> I hope this doesn't sound stupid, but I don't understand why everyone
> is so down on EGD.  I've been using it (on AIX) since we put in
> OpenSSH, and I haven't had any problems with it.
>
> Am I just not smart enough to understand why it is so bad?  (Of
> course, I understand the much preferable inclusion of a real source
> of entropy by the vendor, but why is egd so bad compared to the other
> add on entropy sources?)

Take a look at the few other client apps that require client daemons to
accompany in the background:

1) GNOME
2) Sun CC (requires FlexLM, apparently)

Everything else is self-contained--even when there's crypto.  This includes
TrueSSH(damnit, I'm just going to start calling it this), Netscape-SSL, etc.

That being said, prngd is a really slick way to do what it does, and it
speeds things up significantly.  It's fast, lightweight, and well done.

I just object to it being mandatory.

--Dan