intrigeri wrote: >Does anyone involved plan to work on improving things, and then we're discussing where it would be best to focus their energy?
Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest most basic thing you can do. Zero tolerance for crippling software like he did and it should go for everyone, lest you want another scandal. He still maintains the critical package that he was either threatened or paid - probably the latter - to cripple the entropy on by the NSA, and they've had a war on randomness for a long time now. It should have been done in 2008 when it was discovered after 3 years (that long? perhaps other heads should roll too). Don't let him resign just remove his auth and leave his collected things in a box by the door. And not just for OpenSSL, he contributes to ntp as well. Banish them, theres a line of talented good people who are in line to replace them. On Mon, Aug 5, 2013 at 4:17 AM, intrigeri <intrig...@debian.org> wrote: > Hi, > > I need a reality check, as it's unclear to me what are the goals of > this discussion. > > Does anyone involved plan to work on improving things, and then we're > discussing where it would be best to focus their energy? If that's the > case, then I suggest we try to design solutions with baby steps that > can realistically be implemented on the short term. > > Or is the goal simply to assess the security of our current > infrastructure in various threat models? If that's the case, then how > about clearly writing these threat models so that we can then reason > on the same basis? > > Or is the goal something entirely different that I missed? > > Cheers, > -- > intrigeri > | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc > | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/85k3k0tuv2....@boum.org > >
