Martin Nix wrote:
Yes, I read this earlier - hopefully it will encourage a bit more peer review, particularly on security related code. Really wouldn't have expected this to have happened in something so core on such a ubiquitous distro.
It would appear that Debian have a habit of making changes that do not get fed back upstream; the right place for peer review on this would be around the OpenSSH community not around the end users, imho.
There's absolutely no doubt in my mind that the peer review model works better than the closed alternative, it's just amazing that this has taken 18+ months to come to light.
To the credit of Ubuntu devs they seem to have been very fast out with tools for fixing the problem (ie not just fixing the bug, but seeking out and replacing bad keys). Their tools have gone upstream to Debian. (At least it looks to me like it was an Ubuntu fix that went upstream not the other way around.)
-- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG _______________________________________________ Peterboro mailing list [email protected] https://mailman.lug.org.uk/mailman/listinfo/peterboro
