Verify urandom-style RNG is seeded before generating ID keys
In a better world, every kernel would have a /dev/urandom interface that would block if it hadn't been seeded enough. I hear that some operating systems do this already.
Unfortunately, the world is what it is, and a typical /dev/urandom implementation treats the case where its internal entropy estimator is low exactly the same as the case when its internal entropy estimator has never gotten high at all.
So we should try to protect ourselves from cases where we start up on systems with limited entropy and /dev/urandom refuses to tell us so. Here's a design sketch:
If we're generating an identity key when we haven't generated one before, or if we are starting Tor for the first time with a given DataDirectory, we should first try to read a single byte from /dev/random, and block until we can. This will ensure that the kernel RNG has (by its own lights) reached full entropy at least once, which guarantees cryptographic quality of the rest of the /dev/urandom stream.
Optionally, we can keep some RNG output in a file on disk in our data directory, and use it as an extra seed on subsequent Tor boots, regenerating it each time we start Tor. Combined with 1 above, this would protect us -- at least as well as most operating systems protect us -- from ever running our RNG in a low-entropy environment.
Optionally, we could to the trick in 1 above every time we start Tor.