Re: the openssl incident
I think it would be wise to do up an article. Not everyone who uses
Debian is tuned into the mailing lists (although they certainly ought
to be) and I think it is consistent with "We will not hide
problems"[1].
As a publicity team, we don't want to generally highlight our
problems, but this seems like a case where it is more important that
people find out and know what to do to fix the problem rather than
find out by having a machine compromised. We can highlight the
positive, in this case we can highlight the quick responses as has
been done by others [2], [3], and that Debian IS incredibly open with
its issues [4]. It would also be good to highlight the Debian
instructions for how to generate new keys for affected packages [5].
[1] http://www.debian.org/social_contract
[2] http://gwolf.org/node/1743
[3] http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/
[4] http://www.debian.org/security/2008/dsa-1571
[5] http://www.debian.org/security/key-rollover/
Jeff
On Tue, May 20, 2008 at 8:37 AM, AndreMachado
<andremachado@techforce.com.br> wrote:
>
> Hello,
> Given the short and limited audience message from the DPL [0],
> and some less emotional posts about the incident [1] [2],
> and given the amount of side effects at press, should we publish
> at Debian Times some announcement regarding the incident and measures
> to avoid future problems like this one?
> Regards.
> Andre Felipe Machado
>
> [0] http://lists.debian.org/debian-devel-announce/2008/05/msg00006.html
> [1] http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/
> [2] http://lbello.livejournal.com/52823.html
>
> --
> A Debian user never dies. Issues a last command:
> #shutdown -h now
>
>
> --
> To UNSUBSCRIBE, email to debian-publicity-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
_____________________
Jeff Richards
(250) 483-4318
Reply to: