Re: ssl security desaster

To: Thibaut Paumard <paumard@users.sourceforge.net>
Cc: Debian Debian Developers <debian-devel@lists.debian.org>
Subject: Re: ssl security desaster
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 17 May 2008 12:44:02 +0200
Message-id: <[🔎] 87skwhjjm5.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 02BD6F5C-979F-4240-8B54-7EB2BF848F9F@users.sourceforge.net> (Thibaut Paumard's message of "Fri, 16 May 2008 16:38:33 +0200")
References: <[🔎] 1210938511.11167.44.camel@localhost> <[🔎] E609A589-593F-4ABF-B129-7D1E52023EBB@users.sourceforge.net> <[🔎] 1210943042.6754.23.camel@hortense> <[🔎] 4492B953-7FBF-4CD6-9827-6598712B9952@users.sourceforge.net> <[🔎] 4671dd0c0805160641q588b37e5q83514a9c09abcfc8@mail.gmail.com> <[🔎] 02BD6F5C-979F-4240-8B54-7EB2BF848F9F@users.sourceforge.net>

* Thibaut Paumard:

> Actually, I seem to remember that the issue of critical packages being
> maintained by only one person have been pointed out here several times
> already this year (although I don't remember the particular
> threads). Certainly, such packages needs a better QA than the rest.

It's not clear that more eyeballs would have caught this.  So far, only
one person has claimed that he'd spotted the mistake during review.  I
think such a claim is a bit bold.  And let's be realistic -- it's
difficult to enforce strict levels ov review in an all-volunteer
project.

If we want to make changes, it's probably more prudent to consider
changes to make key rollovers easier.  This could deal with advances in
cryptanalysis and legacy bugs, not just newly-added bugs.  Key rollovers
are never going to be easy, but if there no embedded timestamps or IDs
of key-generating software, they are particularly difficult.

Reply to:

References:
- Re: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Martin Uecker <muecker@gwdg.de>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thibaut Paumard <paumard@users.sourceforge.net>
- changing subjects when discussion becomes slightly off-topic - Was: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Olivier Berger <olivier.berger@it-sudparis.eu>
- Re: changing subjects when discussion becomes slightly off-topic - Was: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thibaut Paumard <paumard@users.sourceforge.net>
- Re: changing subjects when discussion becomes slightly off-topic - Was: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: "Miriam Ruiz" <little.miry@gmail.com>
- Re: ssl security desaster (was: Re: changing subjects when discussion becomes slightly off-topic - Was:Re: SSH keys: DSA vs RSA)
  - From: Thibaut Paumard <paumard@users.sourceforge.net>

Prev by Date: Re: How to handle Debian patches
Next by Date: Bug#481616: ITP: mumudvb -- Multicast a DVB transponder over multiple IP addresses
Previous by thread: Re: ssl security desaster (was: Re: changing subjects when discussion becomes slightly off-topic - Was:Re: SSH keys: DSA vs RSA)
Next by thread: Debian patches
Index(es):
- Date
- Thread