Comment 21 for bug 706011

@ Jon Stevens

So if we care about security we are stupid? This isn't just some random security issue in code that are a dime a dozen. If we implemented what you suggested we would be breaking the entire web of trust of people who use Ubuntu to generate GPG keys. We would literally be making the whole GPG system completely insecure for hundreds of thousands if not *millions* of people. Ubuntu would become a laughing-stock on all the big tech websites. Blogs world wide would be saying "Ubuntu generates insecure GPG keys." I can see the headlines now.

 Whoever runs this bug list should *never* have made this a valid big in the first place. Luckily they have since made it invalid. Now they need to close it for good.

And if you are developing or packaging, why are you not doing it on a local machine? Why are you doing it on some random VM remotely? Besides, I gave you a good solution already. Run this in the terminal on your VM:

sudo apt-get install haveged

That is an entropy generator that will keep the entropy pool full at all times. You should be able to generate your keys in seconds. Even though it might not be as secure as using /dev/random directly, it is probably good enough for your needs, and certainly much faster. If you want a fast solution, fine. But don't ask Ubuntu to break our security for your one weird corner case.

Lesson to be learned: Unless you are a cryptographer or someone *very* experienced in crypto coding, do not *ever* mess around with crypto code or suggest people change it because of something you don't understand. Debian learned this lesson the hard way several years ago.