Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > > You mean less likely than once in 15 years? We're open to your
> > > suggestions.
> > Something as bad as this might be rare, still, if something can be
> > improved, it should.
> > Upstream complained about the extensive Debian patching. I think this
> > is a valid criticism.
> Of course things can be improved, probably always. I don't think that just one
> incident means that nothing must be changed, but I also contest that this
> incident in and of itself requires changes to be made. One incident just
> doesn't tell us much about the quality of Debian patches in general, either
I don't question the quality of Debian patches in general. But I
still think that something can be learned from this single
incident. The security advantage of open source software
is said to be: "Many Eyes Make All Bugs Shallow!" This of course
can not work if every distribution basically creates its own
> That's also what I dislike in Ben Laurie's blog post: he bases his conclusion
> on just this thing that indeed went horribly wrong, but is far from examplary
> for all patching that Debian, or distributions in general, do. I don't think
> he realises that far from all upstreams are as ideal as he seems to think.
I am missing some self-criticism too. The use of uninitialized memory
should have been fixed upstream long ago. (And this is *not* a rare
case where the use of uninitialized memory is ok.)
> I welcome change and review of our processes, but taking one extreme incident
> as the base on which to draw conclusions seems not the wise thing to do.
Why not? A plane crash is a very rare incident. Still every single
crash is investigated to make recommendations for their future
> If you're interested in for example changing the level to which software is
> patched in Debian, I suggest to start with a representative review of what
> gets patched and why it's done. That would give more base to see whether the
> extensive patching is indeed excessive.
I do not have time to do statistics, but from looking at a lot of
packages over the years I know that their a many changes in Debian
packages which are not related to packaging. Besides security
fixes or other really important fixes which have to go in very fast,
I do not see no reason for all this Debian specific changes.