Friday, May 16, 2008

debian openssl bug

It has been blogged everywhere ... but the problem it's not the bug itself , "errare humanum est " ... and that's ~fair enough.

What's irritating --AGAIN!-- is Debian attitude of not feeding patches back upstream, specially when messing with such security sensitive packages, doing this would have effectively caught the bug and --albeit some deserved flame-- would have void the current situation.

By this arrogant attitude, they break the very power of FLOSS: collaboration, cross-fertilization, moooore eyes on your source.

Another thing to note: let's push against monocultures, that is: the more different distros and FLOSS OSes ... the better!

And now: something [not] completely different ...

img source:


redondos said...

There was indeed some sort of discussion about this on openssl-dev:

JuanJo said...

discussion != [PATCH]

ie: it's not "official" code intended to be merged.

Also in that post, there is never exposed the intention to change a MAJOR distribution's package, neither he's using

Maybe good intentions in theory, but crappy in practice (as usual w/security affairs when taken lightly).