Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: chefren <chefren@...>
Cc: openbsd-misc <misc@...>
Date: Thursday, May 15, 2008 - 2:05 pm

On Wed, 14 May 2008, chefren wrote:

> On 5/13/08 7:08 PM, Marc Espie wrote:

No, he hasn't. A question posed to a predominatly users' mailing list is
not the same as a proper bug report and patch submission. Vendors,
especially the size of Debian, should be held to a high standard of
behaviour. Critically, he didn't identify that he was considering removing
these lines *for every user of Debian*.

> and I know personally of another totally

Speaking as someone who has done the last two revs of the OpenBSD libssl,
I haven't tried to upstream our changes - they OpenBSD specific things
like using /dev/arandom and /dev/crypto. I think that any serious patch
we sent would have a good chance of inclusion.

> The OpenSSL maintainers have proven not to read their mail, they aren't

No, he is 100% correct. Vendors "adding value" to security software
when they lack basic code comprehension skills is simply dangerous to
their users. It is surprising that this should be controversial.

> His "Adding uninitialised memory to it can do no harm and might do

Congratulations, you have just demonstrated youself to be the same
category of incomprehension as the Debian developers.

-d

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
Debian libssl security (OpenSSH safe?), Juan Miscaro, (Tue May 13, 11:37 am)
Re: Debian libssl security (OpenSSH safe?), Sean Malloy, (Tue May 13, 12:14 pm)
Re: Debian libssl security (OpenSSH safe?), Gabriel Linder, (Wed May 14, 3:41 am)
Re: Debian libssl security (OpenSSH safe?), Otto Moerbeek, (Wed May 14, 7:22 am)
Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 7:24 am)
Re: Debian libssl security (OpenSSH safe?), raven, (Wed May 14, 7:45 pm)
Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Wed May 14, 8:22 pm)
Re: Debian libssl security (OpenSSH safe?), Ben Calvert, (Wed May 14, 8:30 pm)
Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 10:22 pm)
Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Wed May 14, 10:43 pm)
Re: Debian libssl security (OpenSSH safe?), Otto Moerbeek, (Thu May 15, 1:11 am)
Re: Debian libssl security (OpenSSH safe?), Dave Ewart, (Thu May 15, 5:02 am)
Re: Debian libssl security (OpenSSH safe?), Tim Post, (Thu May 15, 5:44 am)
Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Thu May 15, 9:31 am)
Re: Debian libssl security (OpenSSH safe?), Tim Post, (Fri May 16, 2:51 am)
Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 11:10 pm)
Re: Debian libssl security (OpenSSH safe?), Jussi Peltola, (Wed May 14, 8:53 pm)
Re: Debian libssl security (OpenSSH safe?), Douglas A. Tutty, (Thu May 15, 9:52 am)
Re: Debian libssl security (OpenSSH safe?), Marc Espie, (Tue May 13, 1:00 pm)
Re: More details show that someone seriously fucked up in de..., Damien Miller, (Thu May 15, 2:05 pm)