> From: Ross Cameron

quoted text
> Sent: Friday, May 16, 2008 8:31 AM

> To: Otto Moerbeek

> Cc: misc@openbsd.org

> Subject: Re: Debian libssl security (Cause???)

>

>

> Mmmmmmm this isn't the first time I've heard of bogus reports

> from Valgrind.

> How does one politely inform the Debian project to not trust

> it explicitly

> and to human audit anything it flags?

>

> On Fri, May 16, 2008 at 1:41 PM, Otto Moerbeek  wrote:

>

> > On Fri, May 16, 2008 at 01:31:54PM +0200, Ross Cameron wrote:

> >

> > > Anyone got any thoughts on what the Debian project has

> been doing to

> > OpenSSL

> > > to have caused this in the first place?

> >

> > yes, read the stuff posted earlier, it contains all

> relevant links. To

> > summarize, to silence a bogus valgrind warning, almost all

> seeding of

> > the PRNG used by openssl was removed.

> >

> >        -Otto

>

>

>

That only works if the people who are explicitly human auditing

the software is smart enough to know that you can't implicitly

trust something like Valgrind anyway.  So telling them isn't

really all that useful (if they were that smart, they would

already know).
I'm not saying that the Debian devs aren't smart, I'm just

saying that they aren't smart enough that I would trust them

to build a secure system.  This is why I use OpenBSD instead

of Debian Distorted Dingo.... oh wait... or is that some other

linux that uses the stupid names?  oh well...
s