Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

To: Thijs Kinkhorst <thijs@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
From: Martin Uecker <muecker@gwdg.de>
Date: Thu, 15 May 2008 18:26:57 +0200
Message-id: <[🔎] 1210868817.29840.36.camel@localhost>
In-reply-to: <[🔎] 200805151733.56298.thijs@debian.org>
References: <[🔎] 1210853087.16247.13.camel@localhost> <[🔎] 200805151520.12046.thijs@debian.org> <[🔎] 1210862874.27783.42.camel@localhost> <[🔎] 200805151733.56298.thijs@debian.org>

Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > > You mean less likely than once in 15 years? We're open to your
> > > suggestions.
> >
> > Something as bad as this might be rare, still, if something can be
> > improved, it should.
> >
> > Upstream complained about the extensive Debian patching. I think this
> > is a valid criticism.
> 
> Of course things can be improved, probably always. I don't think that just one 
> incident means that nothing must be changed, but I also contest that this 
> incident in and of itself requires changes to be made. One incident just 
> doesn't tell us much about the quality of Debian patches in general, either 
> way.

I don't question the quality of Debian patches in general. But I
still think that something can be learned from this single
incident. The security advantage of open source software 
is said to be: "Many Eyes Make All Bugs Shallow!" This of course
can not work if every distribution basically creates its own 
branch. 

> That's also what I dislike in Ben Laurie's blog post: he bases his conclusion 
> on just this thing that indeed went horribly wrong, but is far from examplary 
> for all patching that Debian, or distributions in general, do. I don't think 
> he realises that far from all upstreams are as ideal as he seems to think.

I am missing some self-criticism too. The use of uninitialized memory
should have been fixed upstream long ago. (And this is *not* a rare
case where the use of uninitialized memory is ok.)

> I welcome change and review of our processes, but taking one extreme incident 
> as the base on which to draw conclusions seems not the wise thing to do.

Why not? A plane crash is a very rare incident. Still every single
crash is investigated to make recommendations for their future
avoidance.

> If you're interested in for example changing the level to which software is 
> patched in Debian, I suggest to start with a representative review of what 
> gets patched and why it's done. That would give more base to see whether the 
> extensive patching is indeed excessive.

I do not have time to do statistics, but from looking at a lot of
packages over the years I know that their a many changes in Debian
packages which are not related to packaging. Besides security
fixes or other really important fixes which have to go in very fast,
I do not see no reason for all this Debian specific changes.

Martin

Reply to:

Follow-Ups:
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thijs Kinkhorst <thijs@debian.org>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: "Kevin B. McCarty" <kmccarty@debian.org>

References:
- ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Martin Uecker <muecker@gwdg.de>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thijs Kinkhorst <thijs@debian.org>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Martin Uecker <muecker@gwdg.de>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Next by Date: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Previous by thread: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Next by thread: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Index(es):
- Date
- Thread