[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

Martin Uecker wrote:

> Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:

>> If you're interested in for example changing the level to which software is 
>> patched in Debian, I suggest to start with a representative review of what 
>> gets patched and why it's done. That would give more base to see whether the 
>> extensive patching is indeed excessive.
> I do not have time to do statistics, but from looking at a lot of
> packages over the years I know that their a many changes in Debian
> packages which are not related to packaging. Besides security
> fixes or other really important fixes which have to go in very fast,
> I do not see no reason for all this Debian specific changes.

If you see packages for which a Debian-specific patch seems unnecessary,
please by all means file a bug (severity wishlist) requesting that the
patch be either reverted or submitted upstream.  The worst that can
happen is that the bug will be ignored or closed with no reason given by
the maintainer.  More likely (at least I hope so), you'll either get an
explanation of why the patch is needed, or have your request to remove
the patch actually implemented.

Speaking only for myself, let me comment on some "extensive patching".
I guess that some of my physics-related packages (cernlib, paw) are
among the more heavily patched in Debian.  Unfortunately upstream is
dead, so there is *no way* to see the patches incorporated there.  And
even before they gave up the ghost, they were very conservative,
refusing to consider most patches more complicated than trivial changes
to fix complete breakage.

The Debian-specific patches (which have also been incorporated into
Fedora's packages) incorporate things that upstream was unwilling to
include, such as:

- building shared libraries instead of only static ones
- support for architectures other than x86 and powerpc on Linux
- minimal 64-bit support
- support for newer compilers (gfortran instead of g77)
- fixes for bugs when programs were built against lesstif instead of
  the non-free OpenMotif (upstream did not see any reason to support
- removal of non-free code, and fixing the build system to work
  around this removal

Believe me, there are lots of upstreams for which extensive patching
really is necessary.  (I have no idea whether OpenSSL is one of those,
as I have no familiarity with its code nor the Debian packaging of it.)

best regards,

Kevin B. McCarty <kmccarty@gmail.com>
WWW: http://www.starplot.org/
WWW: http://people.debian.org/~kmccarty/
GPG: public key ID 4F83C751

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: