About DSA-1571 openssl , I totally aggree with Eric ... openssl is just like this XKCD strip. So whatever distro you run, cross your fingers while you generate your keys from so-called uninitialized memory so it's uninitialized enough. Why don't we just drop openssl ?

PS: http://wiki.debian.org/SSLkeys gives better explanation. The problem is that one of the cleanups is harmless, while the other one actually commented the code that seeds the PRNG with real entropy. Ouch.