Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]

Thu, 15 May 2008 11:12:32 -0700 

On Wed, 14 May 2008, chefren wrote:

> On 5/13/08 7:08 PM, Marc Espie wrote:
> 
> > More details show that someone seriously fucked up in debian.
> 
> Well, this Kurt has seriously asked for details on the relevant openssl-dev
> list:
> 
> http://marc.info/?l=openssl-dev&m=114651085826293&w=2
> 
> And see what "arrogant as usual" Ben Laurie states:
> 
> http://www.links.org/?p=327
>
> "they should contribute their patches upstream to the package
> maintainers. Had Debian done this in this case, we (the OpenSSL Team)
> would have fallen about laughing, and once we had got our breath back,
> told them what a terrible idea this was."
>
> Kurt has clearly done so,

No, he hasn't. A question posed to a predominatly users' mailing list is
not the same as a proper bug report and patch submission. Vendors,
especially the size of Debian, should be held to a high standard of 
behaviour. Critically, he didn't identify that he was considering removing
these lines *for every user of Debian*.

> and I know personally of another totally
> ignored patch from our company and I have heard in the past about
> OpenBSD people trying to send patches to OpenSSL maintainers to no
> avail.

Speaking as someone who has done the last two revs of the OpenBSD libssl,
I haven't tried to upstream our changes - they OpenBSD specific things
like using /dev/arandom and /dev/crypto. I think that any serious patch
we sent would have a good chance of inclusion.

> The OpenSSL maintainers have proven not to read their mail, they aren't
> interested in cleaning up their big mess.
>
> Laurie also states "never fix a bug you dont understand" and this
> OpenSSL "hero" seems to forget that something that seems smart and OK
> now and here can be plain bad and ugly when looked at with some more
> distance or knowledge.

No, he is 100% correct. Vendors "adding value" to security software 
when they lack basic code comprehension skills is simply dangerous to
their users. It is surprising that this should be controversial.

> His "Adding uninitialised memory to it can do no harm and might do
> some good, which is why we do it." is pure arrogant and shortsighted
> shit to me.

Congratulations, you have just demonstrated youself to be the same
category of incomprehension as the Debian developers.

-d

Reply via email to