Re: ssl security desaster
* Thibaut Paumard:
> Actually, I seem to remember that the issue of critical packages being
> maintained by only one person have been pointed out here several times
> already this year (although I don't remember the particular
> threads). Certainly, such packages needs a better QA than the rest.
It's not clear that more eyeballs would have caught this. So far, only
one person has claimed that he'd spotted the mistake during review. I
think such a claim is a bit bold. And let's be realistic -- it's
difficult to enforce strict levels ov review in an all-volunteer
If we want to make changes, it's probably more prudent to consider
changes to make key rollovers easier. This could deal with advances in
cryptanalysis and legacy bugs, not just newly-added bugs. Key rollovers
are never going to be easy, but if there no embedded timestamps or IDs
of key-generating software, they are particularly difficult.