Cryptographic weakness on Debian systems

The level of entropy would be essentially zero. Memory starts out as zeroed at process
creation time.  It may end up being recycled internally to the same process, but that would be
very predictable.

I suppose you could have some situation like:

 x = malloc(10);
 memcpy(x, randsrc, 10);
 free(x);
 y = malloc(10); /* we just happen to get the same memory */

could cause the situation as described, but that would be a horrible bug -- there is no
guarantee that y wouldn't be all zeros anyway.

I don't think that's what happened here though.

From other comments I think it may be the case that the zeroed buffer contained real entropy,
but possibly not filling the whole thing, thus reading it causes reads of uninitialized bytes.
It could also be that the entropy in the buffer was generated using an uninitialized variable
somewhere (any result of a calculation with uninitialized values must be treated as if it
results in uninitialized values).

I look forward to someone doing a more in-depth inspection of this code -- it should be made
clear exactly how the entropy is gathered and passed around, and there should be no
uninitialized values stored or read from the buffer.  Adding initializations at random points
in the code is not the way to write secure software.