> From: Ross Cameron
quoted text
> Sent: Friday, May 16, 2008 8:31 AM
> To: Otto Moerbeek
> Cc: misc@openbsd.org
> Subject: Re: Debian libssl security (Cause???)
>
>
> Mmmmmmm this isn't the first time I've heard of bogus reports
> from Valgrind.
> How does one politely inform the Debian project to not trust
> it explicitly
> and to human audit anything it flags?
>
> On Fri, May 16, 2008 at 1:41 PM, Otto Moerbeek <otto@drijf.net> wrote:
>
> > On Fri, May 16, 2008 at 01:31:54PM +0200, Ross Cameron wrote:
> >
> > > Anyone got any thoughts on what the Debian project has
> been doing to
> > OpenSSL
> > > to have caused this in the first place?
> >
> > yes, read the stuff posted earlier, it contains all
> relevant links. To
> > summarize, to silence a bogus valgrind warning, almost all
> seeding of
> > the PRNG used by openssl was removed.
> >
> >        -Otto
>
>
>

That only works if the people who are explicitly human auditing
the software is smart enough to know that you can't implicitly
trust something like Valgrind anyway.  So telling them isn't
really all that useful (if they were that smart, they would
already know).

I'm not saying that the Debian devs aren't smart, I'm just
saying that they aren't smart enough that I would trust them
to build a secure system.  This is why I use OpenBSD instead
of Debian Distorted Dingo.... oh wait... or is that some other
linux that uses the stupid names?  oh well...

s