Friday, May 16, 2008

debian openssl bug

It has been blogged everywhere ... but the problem it's not the bug itself , "errare humanum est " ... and that's ~fair enough.

What's irritating --AGAIN!-- is Debian attitude of not feeding patches back upstream, specially when messing with such security sensitive packages, doing this would have effectively caught the bug and --albeit some deserved flame-- would have void the current situation.

By this arrogant attitude, they break the very power of FLOSS: collaboration, cross-fertilization, moooore eyes on your source.

Another thing to note: let's push against monocultures, that is: the more different distros and FLOSS OSes ... the better!

And now: something [not] completely different ...


img source: kriptopolis.org

2 comments:

redondos said...

There was indeed some sort of discussion about this on openssl-dev:

http://marc.info/?l=openssl-dev&m=114651085826293&w=2

JuanJo said...

discussion != [PATCH]

ie: it's not "official" code intended to be merged.

Also in that post, there is never exposed the intention to change a MAJOR distribution's package, neither he's using @debian.org.

Maybe good intentions in theory, but crappy in practice (as usual w/security affairs when taken lightly).