LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

OpenSSH 5.0 released

OpenSSH 5.0 released

Posted Apr 4, 2008 0:18 UTC (Fri) by djm (subscriber, #11651)
In reply to: OpenSSH 5.0 released by micah
Parent article: OpenSSH 5.0 released 

It isn't a "low blow" to honestly state that Debian has not followed good procedure. You could
tell from the bug report yourself that it had been forwarded to a single developer and not a
security group contact and you never bothered to check with us to coordinate a release.

So yes, if you follow good procedure in future than you are not likely to be criticised.

(Log in to post comments)

OpenSSH 5.0 released

Posted Apr 4, 2008 2:10 UTC (Fri) by abartlet (subscriber, #3928) [Link] 

It is to do so in the release announcement.  Leave such things for a private (or at least not
in the announce mail) discussion with the debian maintainer.

OpenSSH 5.0 released

Posted Apr 4, 2008 4:06 UTC (Fri) by micah (subscriber, #20908) [Link] 


Its a hard claim to accept that Debian didn't follow good procedure when the bug was reported
in a public forum and existed there for nearly 3 months for all the internet to see. If this
bug was reported via private channels such as vendor-sec and then Debian went about releasing
it to the world anyways, then yes you would be right, but once its out there, its out there.
I'm sorry, but there is no undo on the internet.

OpenSSH 5.0 released

Posted Apr 14, 2008 18:02 UTC (Mon) by shane (subscriber, #3335) [Link]

To be fair, there are a lot of public forums on the Internet. Every distribution has one, and software developers do not have the time to follow every single possible channel for bug reports.

Normal procedure is for distributions to push bug reports and other patches upstream to the main developers. In my experience distributions tend to be pretty bad about this process, and maybe frustration with this has contributed to the asinine actions from the OpenSSH developers.

OpenSSH 5.0 released

Posted Apr 4, 2008 6:36 UTC (Fri) by bronson (subscriber, #4806) [Link] 

Wow, two of the first three paragraphs of that press release are spent complaining about
Debian.  Tell us more about good procedure?  Especially as related to discrete communication?
:)

OpenSSH 5.0 released

Posted Apr 10, 2008 10:55 UTC (Thu) by daniels (subscriber, #16193) [Link] 

Wow, what an incentive.  'Don't make any mistake ever, and we won't spend our entire release
announcement calling you idiots.'  Your generosity is matched only by your kindness.

(Of course, Novell employees are idiots when they make a typo introducing one security bug,
but whoever made this mistake is doubtless not an idiot.)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds