Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
On Thursday 15 May 2008 18:26, Martin Uecker wrote:
> Why not? A plane crash is a very rare incident. Still every single
> crash is investigated to make recommendations for their future
Maybe that wasn't clear from my first mail, but I don't think that nothing can
be learned from this incident (and already has been learned!). I just think
that the conclusion that "Debian patches too much" is at all justified when
looking solely at this bug.
> > If you're interested in for example changing the level to which software
> > is patched in Debian, I suggest to start with a representative review of
> > what gets patched and why it's done. That would give more base to see
> > whether the extensive patching is indeed excessive.
> I do not have time to do statistics, but from looking at a lot of
> packages over the years I know that their a many changes in Debian
> packages which are not related to packaging. Besides security
> fixes or other really important fixes which have to go in very fast,
> I do not see no reason for all this Debian specific changes.
I can understand that this doesn't seem necessary from the outside. However,
I've been working on Debian for a few years now, and I've come to see that
large numbers of patches are very justified. For example, because upstream
isn't quite as cooperative, or even responds at all. Or because upstream is
not interested in problems that affect Debian users specifically. There are
many more examples, and probably also quite some counterexamples. There's a
net win there, however.
Let me state it again, surely things can be learned from this incident, but
the general conclusion that Debian patches too much is in my opinion far from
justified. And I think it would be a good idea to get more overview of the
reasons that these patches are applied before drawing the conclusion that
it's a bad idea.