Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Am 13.05.2008 um 21:47 schrieb Jan Luehr:
> Stimmt diese Aussage hier (http://www.links.org/?p=327) soweit?
> »Two years ago, they “fixed” a “problem” in OpenSSL reported by valgrind[1] by
> removing any possibility of adding any entropy to OpenSSL’s pool of
> randomness[2]. «
Das stimmt, siehe http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516.
> weiterhin heißt es
> »Firstly, vendors should not be fixing problems (or, really, anything) in open
> source packages by patching them locally - they should contribute their
> patches upstream to the package maintainers. Had Debian done this in this
> case, we (the OpenSSL Team) would have fallen about laughing, and once we had
> got our breath back, told them what a terrible idea this was. But no, it
> seems that every vendor wants to “add value” by getting in between the user
> of the software and its author.«
Das stimmt so nicht, denn der Debian-Maintainer hat auf der openssl-dev
Mailingliste vorher nachgefragt:
http://marc.info/?l=openssl-dev&m=114651085826293&w=2.
Die Antworten waren keineswegs Gelächter, soweit ich sehe.
Sven
Reply to: