[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > > You mean less likely than once in 15 years? We're open to your
> > > suggestions.
> >
> > Something as bad as this might be rare, still, if something can be
> > improved, it should.
> >
> > Upstream complained about the extensive Debian patching. I think this
> > is a valid criticism.
> Of course things can be improved, probably always. I don't think that just one 
> incident means that nothing must be changed, but I also contest that this 
> incident in and of itself requires changes to be made. One incident just 
> doesn't tell us much about the quality of Debian patches in general, either 
> way.

I don't question the quality of Debian patches in general. But I
still think that something can be learned from this single
incident. The security advantage of open source software 
is said to be: "Many Eyes Make All Bugs Shallow!" This of course
can not work if every distribution basically creates its own 

> That's also what I dislike in Ben Laurie's blog post: he bases his conclusion 
> on just this thing that indeed went horribly wrong, but is far from examplary 
> for all patching that Debian, or distributions in general, do. I don't think 
> he realises that far from all upstreams are as ideal as he seems to think.

I am missing some self-criticism too. The use of uninitialized memory
should have been fixed upstream long ago. (And this is *not* a rare
case where the use of uninitialized memory is ok.)

> I welcome change and review of our processes, but taking one extreme incident 
> as the base on which to draw conclusions seems not the wise thing to do.

Why not? A plane crash is a very rare incident. Still every single
crash is investigated to make recommendations for their future

> If you're interested in for example changing the level to which software is 
> patched in Debian, I suggest to start with a representative review of what 
> gets patched and why it's done. That would give more base to see whether the 
> extensive patching is indeed excessive.

I do not have time to do statistics, but from looking at a lot of
packages over the years I know that their a many changes in Debian
packages which are not related to packaging. Besides security
fixes or other really important fixes which have to go in very fast,
I do not see no reason for all this Debian specific changes.


Reply to: