| |||||||||||||
Cryptographic weakness on Debian systemsCryptographic weakness on Debian systemsPosted May 13, 2008 18:42 UTC (Tue) by mbanck (subscriber, #9035)In reply to: Cryptographic weakness on Debian systems by tialaramex Parent article: Cryptographic weakness on Debian systems But it seems that Debian people did go to the OpenSSL developers two years ago, and they got told more or less that if it shuts up Valgrind then it's fine. That's interesting, do you have a link/citation for that? Michael
(Log in to post comments)
Cryptographic weakness on Debian systems Posted May 13, 2008 18:45 UTC (Tue) by jamessan (subscriber, #12612) [Link] http://marc.info/?t=114651088900003&r=1&w=2 is the thread on openssl-dev
Cryptographic weakness on Debian systems Posted May 13, 2008 18:45 UTC (Tue) by mbanck (subscriber, #9035) [Link] Probably this one, replying to the Debian openssl maintainer: http://marc.info/?l=openssl-dev&m=114652287210110&... Michael
Cryptographic weakness on Debian systems Posted May 13, 2008 18:51 UTC (Tue) by tialaramex (subscriber, #21167) [Link] Here's a smoking gun OpenSSL developer mailing list thread. Already linked above actually... http://marc.info/?t=114651088900003&r=1&w=2 I don't know if anyone in that conversation "represents" OpenSSL in some sense, but there was plenty of opportunity for anyone, even an interested bystander to interject "that is a terrible idea" and no-one did.
Cryptographic weakness on Debian systems Posted May 13, 2008 19:50 UTC (Tue) by nix (subscriber, #2304) [Link] Apparently that's a list for people developing apps *with* openssl, and the openssl devs don't all read it. (If so, well done openssl: not only is your code an uncommented stylistically awful dog's dinner, your mailing lists also have ridiculously misleading names. There's a reason I encourage GnuTLS use over OpenSSL wherever possible, and it's not the license...)
Cryptographic weakness on Debian systems Posted May 13, 2008 19:57 UTC (Tue) by jake (editor, #205) [Link] > Apparently that's a list for people developing apps *with* openssl, and the openssl devs don't all read it.That's what Ben Laurie said, but the web page for OpenSSL support says different: Discussions on development of the OpenSSL library. Not for application development questions! So it would seem like a reasonable place to ask questions of that nature. jake
Cryptographic weakness on Debian systems Posted May 13, 2008 20:16 UTC (Tue) by dark (subscriber, #8483) [Link]
The README distributed with openssl also says to submit patches to
openssl-dev. And the FAQ on openssl.org ("How can I contact the OpenSSL
developers?") says to look in the README.
Cryptographic weakness on Debian systems Posted May 14, 2008 0:42 UTC (Wed) by nix (subscriber, #2304) [Link] OK, I'll go and be quiet in the corner for not fact-checking before burbling. Apologies.
Cryptographic weakness on Debian systems Posted May 14, 2008 23:54 UTC (Wed) by cortana (subscriber, #24596) [Link] Well, don't feel so bad. The OpenSSL developers also didn't bother fact-checking either. ;)
Cryptographic weakness on Debian systems Posted May 15, 2008 4:20 UTC (Thu) by ajf (subscriber, #10844) [Link] If a member of the OpenSSL team got it wrong, you can hardly blame yourself for believing him.
|
|||||||||||||