> From: Ross Cameron > Sent: Friday, May 16, 2008 8:31 AM > To: Otto Moerbeek > Cc: misc@openbsd.org > Subject: Re: Debian libssl security (Cause???) > > > Mmmmmmm this isn't the first time I've heard of bogus reports > from Valgrind. > How does one politely inform the Debian project to not trust > it explicitly > and to human audit anything it flags? > > On Fri, May 16, 2008 at 1:41 PM, Otto Moerbeek <[EMAIL PROTECTED]> wrote: > > > On Fri, May 16, 2008 at 01:31:54PM +0200, Ross Cameron wrote: > > > > > Anyone got any thoughts on what the Debian project has > been doing to > > OpenSSL > > > to have caused this in the first place? > > > > yes, read the stuff posted earlier, it contains all > relevant links. To > > summarize, to silence a bogus valgrind warning, almost all > seeding of > > the PRNG used by openssl was removed. > > > > -Otto > > >
That only works if the people who are explicitly human auditing the software is smart enough to know that you can't implicitly trust something like Valgrind anyway. So telling them isn't really all that useful (if they were that smart, they would already know). I'm not saying that the Debian devs aren't smart, I'm just saying that they aren't smart enough that I would trust them to build a secure system. This is why I use OpenBSD instead of Debian Distorted Dingo.... oh wait... or is that some other linux that uses the stupid names? oh well... s