Re: making Debian secure by default

To: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: John Hasler <john@sugarbit.com>
Date: Mon, 01 Apr 2024 14:59:41 -0500
Message-id: <[🔎] 871q7ozweq.fsf@sugarbit.com>
Reply-to: john@sugarbit.com (John Hasler)
In-reply-to: <[🔎] 20240401204025.7c12dce7@jrenewsid.jretrading.com> (joe@jretrading.com's message of "Mon, 1 Apr 2024 20:40:25 +0100")
References: <CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <ZgSljhflfCtsnnCq@mail.bitfolk.com> <CAD8GWsswLPH327tvj64HkWuMfayXczJyyviSk9Um2CAHHjoovg@mail.gmail.com> <ZgVw+HFmMseszOcm@mail.bitfolk.com> <ZgWLmLCjcOTqhk2a@wooledge.org> <slrnv0bba0.1hf.curty@einstein.electron.org> <Zgbx8L7m3k92QWzm@mail.bitfolk.com> <20240329172333.7439c34e@jrenewsid.jretrading.com> <[🔎] CAJmb-Y=M67E3PDrgzYkHt98gbzef5-0+2q2RubwhGurxkaH1-g@mail.gmail.com> <[🔎] ZgoRo7jKKXSEV7Ai@mail.bitfolk.com> <[🔎] 20240401134741.7a2ca89c@jrenewsid.jretrading.com> <[🔎] 875xx0zzm9.fsf@sugarbit.com> <[🔎] 20240401204025.7c12dce7@jrenewsid.jretrading.com>

Joe writes:
> Which didn't happen, at least not for two years.

It happened eventually, which is my point.

> I would suggest that for any software as critical as OpenSSL, more
> than one pair of eyes would have been appropriate *before* release.

I would suggest that critical projects such as OpenSSL need to practice
a form of "dependecy management" analogous to "supply chain management":
track dependency chains and periodically re-qualify each level.  A full
audit might not be possible but at least look closely enough to notice
when a library is being supported by one overworked guy who is taking
patches from random strangers.

NOTE: this is just a suggestion.  I don't claim to be any sort of
security expert  nor am I trying to tell anyone what to do.
-- 
John Hasler 
john@sugarbit.com
Elmwood, WI USA

Reply to:

References:
- Re: making Debian secure by default
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>
- Re: making Debian secure by default
  - From: Andy Smith <andy@strugglers.net>
- Re: making Debian secure by default
  - From: Joe <joe@jretrading.com>
- Re: making Debian secure by default
  - From: John Hasler <john@sugarbit.com>
- Re: making Debian secure by default
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: making Debian secure by default
Next by Date: Re: making Debian secure by default
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread