Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: chefren <chefren@...>

Cc: openbsd-misc <misc@...>

Subject: Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]

Date: Thursday, May 15, 2008 - 2:05 pm

On Wed, 14 May 2008, chefren wrote:

> On 5/13/08 7:08 PM, Marc Espie wrote:

quoted text

>
> > More details show that someone seriously fucked up in debian.
>
> Well, this Kurt has seriously asked for details on the relevant openssl-dev
> list:
>
> http://marc.info/?l=openssl-dev&m=114651085826293&w=2
>
> And see what "arrogant as usual" Ben Laurie states:
>
> http://www.links.org/?p=327
>
> "they should contribute their patches upstream to the package
> maintainers. Had Debian done this in this case, we (the OpenSSL Team)
> would have fallen about laughing, and once we had got our breath back,
> told them what a terrible idea this was."
>
> Kurt has clearly done so,

No, he hasn't. A question posed to a predominatly users' mailing list is
not the same as a proper bug report and patch submission. Vendors,
especially the size of Debian, should be held to a high standard of
behaviour. Critically, he didn't identify that he was considering removing
these lines *for every user of Debian*.

> and I know personally of another totally

quoted text

> ignored patch from our company and I have heard in the past about
> OpenBSD people trying to send patches to OpenSSL maintainers to no
> avail.

Speaking as someone who has done the last two revs of the OpenBSD libssl,
I haven't tried to upstream our changes - they OpenBSD specific things
like using /dev/arandom and /dev/crypto. I think that any serious patch
we sent would have a good chance of inclusion.

> The OpenSSL maintainers have proven not to read their mail, they aren't

quoted text

> interested in cleaning up their big mess.
>
> Laurie also states "never fix a bug you dont understand" and this
> OpenSSL "hero" seems to forget that something that seems smart and OK
> now and here can be plain bad and ugly when looked at with some more
> distance or knowledge.

No, he is 100% correct. Vendors "adding value" to security software
when they lack basic code comprehension skills is simply dangerous to
their users. It is surprising that this should be controversial.

> His "Adding uninitialised memory to it can do no harm and might do

quoted text

> some good, which is why we do it." is pure arrogant and shortsighted
> shit to me.

Congratulations, you have just demonstrated youself to be the same
category of incomprehension as the Debian developers.

-d

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Debian libssl security (OpenSSH safe?), Juan Miscaro, (Tue May 13, 11:37 am)

Re: Debian libssl security (OpenSSH safe?), Sean Malloy, (Tue May 13, 12:14 pm)

Re: Debian libssl security (OpenSSH safe?), Gabriel Linder, (Wed May 14, 3:41 am)

Re: Debian libssl security (OpenSSH safe?), Otto Moerbeek, (Wed May 14, 7:22 am)

Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 7:24 am)

Re: Debian libssl security (OpenSSH safe?), raven, (Wed May 14, 7:45 pm)

Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Wed May 14, 8:22 pm)

Re: Debian libssl security (OpenSSH safe?), Ben Calvert, (Wed May 14, 8:30 pm)

Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 10:22 pm)

Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Wed May 14, 10:43 pm)

Re: Debian libssl security (OpenSSH safe?), Otto Moerbeek, (Thu May 15, 1:11 am)

Re: Debian libssl security (OpenSSH safe?), Dave Ewart, (Thu May 15, 5:02 am)

Re: Debian libssl security (OpenSSH safe?), Tim Post, (Thu May 15, 5:44 am)

Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Thu May 15, 9:31 am)

Re: Debian libssl security (OpenSSH safe?), Tim Post, (Fri May 16, 2:51 am)

Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 11:10 pm)

Re: Debian libssl security (OpenSSH safe?), Jussi Peltola, (Wed May 14, 8:53 pm)

Re: Debian libssl security (OpenSSH safe?), Douglas A. Tutty, (Thu May 15, 9:52 am)

Re: Debian libssl security (OpenSSH safe?), Marc Espie, (Tue May 13, 1:00 pm)

More details show that someone seriously fucked up in debian..., chefren, (Tue May 13, 6:48 pm)

Re: More details show that someone seriously fucked up in de..., Damien Miller, (Thu May 15, 2:05 pm)

Re: More details show that someone seriously fucked up in de..., Otto Moerbeek, (Wed May 14, 2:47 am)

Re: More details show that someone seriously fucked up in de..., Otto Moerbeek, (Wed May 14, 7:53 am)


linux-kernel:
monstr	[PATCH 03/56] microblaze_v2: Cpuinfo handling
Andrew Morton	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Arjan van de Ven	Re: [GIT *] Allow request_firmware() to be satisfied from in-kernel, use it in mor...
git:

linux-netdev:
Willy Tarreau	Re: [PATCH] tcp: splice as many packets as possible at once
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Linus Torvalds	Re: [GIT]: Networking
Alexey Dobriyan	[PATCH 01/53] xfrm: initialise xfrm_policy_gc_work statically
openbsd-misc:

Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]

Online users