On Wednesday 14 May 2008 12:50, Rene Mayrhofer wrote: > What's the current status concerning an automated "fixer" package that > would do all the work of re-created the keys like the openssh-server > package currently does? I don't think it's reasonable to just distribute > the fixed openssl and say (only implicitly within the DSA, which people > might not read in detail) to our users something along the lines of "your > keys created in the past 2 years are completely broken and all your crypto > is insecure - doh, but you're on your own". I also don't think it's > reasonable for all packages that somehow use(d) openssl to create keys to > do their own security fix as openssh-server did (for openssh, I think > that's a good thing because it's the primary entry point for additional, > potentially manual fixing). Fixing different packages should be able to > re-use code and would only bother the user/admin once. Since the commit was already publically made last week we had no choice as to delay the release not more than a few days. Fixing certificates for an ssl-using package is mostly a process specific to that package. I think we'll accept updated packages like the openssh one just as well for other ssl-using packages, but "somone has to do it". The maintainers of course being the most likely candidate since they know their package best. > As it stands now, I don't think this issue is fixed from a user point of > view (just thinking about user ssh keys, which are still wide open....). I'm not sure what that last part about user keys means, since the recent openssh update is designed to block weak user ssh keys. Or what do you mean? Thijs
Attachment:
pgpgLQf69aScZ.pgp
Description: PGP signature