[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

On Thursday 15 May 2008 18:26, Martin Uecker wrote:
> Why not? A plane crash is a very rare incident. Still every single
> crash is investigated to make recommendations for their future
> avoidance.

Maybe that wasn't clear from my first mail, but I don't think that nothing can 
be learned from this incident (and already has been learned!). I just think 
that the conclusion that "Debian patches too much" is at all justified when 
looking solely at this bug.

> > If you're interested in for example changing the level to which software
> > is patched in Debian, I suggest to start with a representative review of
> > what gets patched and why it's done. That would give more base to see
> > whether the extensive patching is indeed excessive.
> I do not have time to do statistics, but from looking at a lot of
> packages over the years I know that their a many changes in Debian
> packages which are not related to packaging. Besides security
> fixes or other really important fixes which have to go in very fast,
> I do not see no reason for all this Debian specific changes.

I can understand that this doesn't seem necessary from the outside. However, 
I've been working on Debian for a few years now, and I've come to see that 
large numbers of patches are very justified. For example, because upstream 
isn't quite as cooperative, or even responds at all. Or because upstream is 
not interested in problems that affect Debian users specifically. There are 
many more examples, and probably also quite some counterexamples. There's a 
net win there, however.

Let me state it again, surely things can be learned from this incident, but 
the general conclusion that Debian patches too much is in my opinion far from 
justified. And I think it would be a good idea to get more overview of the 
reasons that these patches are applied before drawing the conclusion that 
it's a bad idea.


Reply to: