There's plenty of randomness for 99.99% of all computers, the remaining ones can easily get
some hardware entropy-source, for example one based on the soundcard as you suggest.
/dev/urandom is actually a lot STRONGER than sha, because it does use whatever real entropy is
available, and while sometimes low enough that /dev/random would block, it is seldom -zero-.
Predicting the next number coming out of urandom is similar to predicting the next number
coming out of a scheme like this:
pool = sha(pool)
Which would perhaps be doable if sha was severly broken. But there's an added complication:
Every once in a while, some -real- entropy from whatever source enters the pool via the rough
pool = sha(pool xor real-random-data)
This should mess things up enough that -even- if sha is severly broken, predicting the
sequence is, essentailly, impossible.
Our editor is rigth: If you are generating a keypair to use for a decade, by all means, use
real randomness. If you are doing anything less, use urandom and forget about it.