On Wed, 14 May 2008, chefren wrote: > On 5/13/08 7:08 PM, Marc Espie wrote: > > > More details show that someone seriously fucked up in debian. > > Well, this Kurt has seriously asked for details on the relevant openssl-dev > list: > > http://marc.info/?l=openssl-dev&m=114651085826293&w=2 > > And see what "arrogant as usual" Ben Laurie states: > > http://www.links.org/?p=327 > > "they should contribute their patches upstream to the package > maintainers. Had Debian done this in this case, we (the OpenSSL Team) > would have fallen about laughing, and once we had got our breath back, > told them what a terrible idea this was." > > Kurt has clearly done so,
No, he hasn't. A question posed to a predominatly users' mailing list is not the same as a proper bug report and patch submission. Vendors, especially the size of Debian, should be held to a high standard of behaviour. Critically, he didn't identify that he was considering removing these lines *for every user of Debian*. > and I know personally of another totally > ignored patch from our company and I have heard in the past about > OpenBSD people trying to send patches to OpenSSL maintainers to no > avail. Speaking as someone who has done the last two revs of the OpenBSD libssl, I haven't tried to upstream our changes - they OpenBSD specific things like using /dev/arandom and /dev/crypto. I think that any serious patch we sent would have a good chance of inclusion. > The OpenSSL maintainers have proven not to read their mail, they aren't > interested in cleaning up their big mess. > > Laurie also states "never fix a bug you dont understand" and this > OpenSSL "hero" seems to forget that something that seems smart and OK > now and here can be plain bad and ugly when looked at with some more > distance or knowledge. No, he is 100% correct. Vendors "adding value" to security software when they lack basic code comprehension skills is simply dangerous to their users. It is surprising that this should be controversial. > His "Adding uninitialised memory to it can do no harm and might do > some good, which is why we do it." is pure arrogant and shortsighted > shit to me. Congratulations, you have just demonstrated youself to be the same category of incomprehension as the Debian developers. -d