[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > You mean less likely than once in 15 years? We're open to your
> > suggestions.
> Something as bad as this might be rare, still, if something can be
> improved, it should.
> Upstream complained about the extensive Debian patching. I think this
> is a valid criticism.

Of course things can be improved, probably always. I don't think that just one 
incident means that nothing must be changed, but I also contest that this 
incident in and of itself requires changes to be made. One incident just 
doesn't tell us much about the quality of Debian patches in general, either 

That's also what I dislike in Ben Laurie's blog post: he bases his conclusion 
on just this thing that indeed went horribly wrong, but is far from examplary 
for all patching that Debian, or distributions in general, do. I don't think 
he realises that far from all upstreams are as ideal as he seems to think.

I welcome change and review of our processes, but taking one extreme incident 
as the base on which to draw conclusions seems not the wise thing to do. If 
you're interested in for example changing the level to which software is 
patched in Debian, I suggest to start with a representative review of what 
gets patched and why it's done. That would give more base to see whether the 
extensive patching is indeed excessive.


Attachment: pgpIgDyHSebJF.pgp
Description: PGP signature

Reply to: