Suffice it to say that the author is mistaken when he claims that "The former is pretty much raw entropy, while the latter is the output of a CSPRNG function"

/dev/random ist not "pretty much raw entropy", it is the exact same output of the kernel's CSPRNG as /dev/urandom is giving out.

See http://www.2uo.de/myths-about-urandom/#structure

> Using poor sources of entropy like /dev/urandom on Linux, or worse, gettimeofday(), and using them to generate long-lived keys.

He missed the point, people complained because he claimed urandom was a poor source of entropy. That post is about using urandom securely, and he even shows that he doesn't know the difference between random and urandom.

I think you missed what he was saying. He phrased it a few different ways in the blog and the comments, the clearest probably being: "(/dev/urandom || gettimeofday()) is a very poor source of entropy".

He was complaining about a particular usage he was seeing in the wild, not random and urandom, as he explicitly says a few times.

Not wanting to nitpick, but if attacker manages to unlink("/dev/urandom") then you have bigger problems than just not trusting this one file. Nothing application developer can do will make this system more secure.