On Sat, 17 May 2008 17:27:25 +0200, Martin Schmitz wrote:

> Richard James wrote:
>> Basically what happened was this
>> A debian developer noticed what he thought was a bug in their SSL
>> package He tried to fix it himself but did not inform the SSL
>> developers of his patch
>
> This is not true. Actually he did ask the OpenSSL developers and got an
> answer that it would be ok to remove the lines in questions:

He did not say to them I am going to do this and then release the code
into the Debian software system. If he had done that then they would have
taken a closer look at the code. What he asked was different from his
actions. Basically he asked as if he was going to personally do that to
his system, what he did was to publicly release it to every Debian system
downstream. If they had known about his true intentions then this would
not have occurred.

Besides what I said is this is basically what happened. If you want to
read all the gory details then read the blog.

> http://marc.info/?l=openssl-dev&m=114651085826293&w=2
>
> And while you're offending debian for it's security policy - where are
> the updated libvorbis packages for slackware that are very, very
> urgently needed?

Please don't put words in my mouth. I am not attacking Debian's security
policies. I was just informing people of the news. If you read enough of
the news you will see that many many people are upset over this incident
and not just Debian people. For instance it was even mentioned in
http://xkcd.com/424/ where the author complains about having to upload
the comic several times because his key was blacklisted.

If you want to see people questioning the Debian security policy then
head over to Debian land and watch the fireworks.

As for the libvorbis packages for Slackware, well I don't know. People
might be surprised but I know very little actually.

Richard James
--
sig fail on line -1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-05-18, »Q« <boxcars@gmx.net> wrote:
> OTOH, if even one openSSL dev had taken the time to type "just make
> sure you don't ship with those lines commented out", the whole thing
> would have been avoided.

That is correct; however, there was no expectation that these changes
would be merged into Debian. While Debian isn't entirely to blame[0],
the brunt of it rests on them. The patcher never explicitly said he
was going to include those changes into Debian's codebase. Even so,
downstream has an obligation to send any and all patches upstream so
everyone can benefit from them (or no one will suffer from them as the
case may be).

The best discussion of the troubles I have found was in last week's LWN
weekly edition. You can read the relevant article using the link
below, even if you are not a subscriber.

http://lwn.net/SubscriberLink/282038/d871e31c79ae0d7e/

[0] The openssl devs don't (didn't?) have any information as to where
to actually send patches for vetting. The openssl-dev list is for
people developing other applications which use openssl. openssl-team
is for contacting the developers, but wasn't mentioned anywhere that
anyone could easily find. Had the patch been sent there, it would
almost certainly have received a more thorough vetting.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkgxpQ8ACgkQrZS6hX/gvjqmqQCg2j00QyLRI9dSBxnDgAAbrkwW
S/UAoNqYF2oLFWoCwOPjYL2ppjc1YETl
=hbmQ
-----END PGP SIGNATURE-----