Don't. Use. Userspace. Random. Number. Generators.<p>It is 2016. There is no business for any major tool to be shipping a dependency on a userspace random number generator like this.<p><a href="http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/" rel="nofollow">http://sockpuppet.org/blog/2014/02/25/safely-generate-random...</a><p>It's not enough for us to stop fielding new software with broken userspace random (all userspace random is broken random). We need to go back through all the software, find all the userspace RNGs, and replace them with urandom reads
The GPG folks don't currently recommend revoking keys based on this: <a href="https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html" rel="nofollow">https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/0003...</a>
> [...] the flaw makes a part of the
PRNG output completely predictable. This bug exists since
1998 in all GnuPG and Libgcrypt versions [...]<p>> Please note that this document makes no claims about the
effect of the flaw on the security of generated keys or other artifacts.