[Eug-lug] the debian openssl debacle
larry price
laprice at gmail.com
Tue May 13 21:50:57 PDT 2008
So I've just finished upgrading all the various debian and ubuntu
boxes I control, and am about .75 done with the rekeying work that
goes with.
(if you have no idea what I'm talking about and you run a debian based
distro, go update your OS now; before you read the rest of this email)
1. not happy that this completely unnecessary vulnerability was out
there for more than a year without being found.
2. happy that it was found through reviews and analysis by project
members rather than through my machines being compromised.
3. wondering what could have been done differently to prevent this.
Addressing #3; it would be nice to write a check to someone to go
towards hiring one of the OpenSSL core developers to be the debian
package maintainer; not sure who that would be or if that would even
be the right solution (I seem to remember various circular firing
squads forming up in debian over who did and did not get money for
working on the project).
//good night
More information about the EUGLUG
mailing list