Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

[Mike Bird <mgb-debian@yosemite.net>]

On Thu May 15 2008 08:33:54 Thijs Kinkhorst wrote:
> I welcome change and review of our processes, but taking one extreme
> incident as the base on which to draw conclusions seems not the wise thing
> to do. If you're interested in for example changing the level to which
> software is patched in Debian, I suggest to start with a representative
> review of what gets patched and why it's done. That would give more base to
> see whether the extensive patching is indeed excessive.

This is not the time to be making statements which will be regretted
later.

It only takes one incident as bad as this to compromise millions of
systems and to seriously harm Debian's reputation.  You can't average
out over all packages and say Debian is 99% secure.

99% secure is 100% insecure.

This incident needs to be reviewed carefully but the time is not yet.  
Information is not as accessible to Debian users as it should be and
some packages don't seem to have reached Testing.  Focus at this time
must still be on disaster response and recovery.

Next come the most important phases - learning from this disaster,
ensuring that a repetition is impossible (or several orders of magnitude
less likely), and preparing Debian's response for the next disaster.

--Mike Bird