Consider not starting ekeyd by default
EntropyKey is a rare USB TRNG made by a company which has shut down production years ago. The device requires its own, custom, no longer developed daemon which runs as root and monitors all USB devices inserted. It requires this because EntropyKey has its own proprietary firmware running on the device, so unlike other popular USB TRNGs, it cannot use well-maintained alternatives like rngd.
Feature #7687 (closed) was rejected, which was to remove ekeyd entirely due to the increased attack surface area it provides (it even links against liblua). I was going to contest that rejection, but I decided to create a new ticket to consider keeping the package, but without the corresponding service automatically starting. In that previous ticket, ioerror said that he used EntropyKey, and asked not to have it removed, resulting in its rejection. Why not keep the package installed, but have it no longer start by default? Anyone who uses it could trivially start it up, and everyone else (well over 99.99%) would not have to have an unmaintained daemon running as root for a rare USB device made by a company that no longer exists.
Related issues
- Related to #7687 (closed)
Original created by @cypherpunks on 11703 (Redmine)