According to rngd man page the default value for the '--fill-watermark' option is 2048 bits. However, upon examining default_watermark() function in rngd_linux.c, it turns out that this is true for systems where poolsize cannot be obtained. In linux, the pool size can be obtained by reading '/proc/sys/kernel/random/poolsize'. If rngd is capable of reading the proc entry, as it should be, then it sets the --fill-watermark value to be 75% of the total pool size, typically 3072 bits. Gentoo mitigates this problem by explicitly specifying the '--fill'watermark 2048' in the init script. Still, it is ambiguous which is the intended default value (2048 or 3072 bits), and which one Gentoo should provide by default. Reproducible: Always
Created attachment 406954 [details, diff] Proposed fix for manpage For reference purposes: - Suse uses 3700 bits for watermark - Debian uses 50% - Fedora goes with the default 75% There doesn't seem to be any consensus on the default value. I suggest that we modify the manpage to reflect the correct behaviour and leave the default 2048 bits provided by the init script as is.
Created attachment 406956 [details, diff] Patch for the ebuilds
Created attachment 407350 [details, diff] Patch manpage inside ebuild with sed As per our discussion on #gentoo-proxy-maint with idella4, patching the manpage with sed is better than creating a separate patch file. It takes up less space than the patch file and easier to read when it's inside the ebuild. Note that this is only for rng-tools-5, although it should apply the same way to rng-tools-4 too. There is a stabilization bug open for rng-tools-5, so it makes sense to patch only rng-tools-5 and get rid of rng-tools-4 as soon as possible.
thanks, it's in 5-r1 now: http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3d293d479c67624790945244f46ab6956c05e3
