LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Debian, OpenSSL, and a lack of cooperation

Debian, OpenSSL, and a lack of cooperation

Posted May 15, 2008 9:24 UTC (Thu) by melo@simplicidade.org (guest, #4380)
Parent article: Debian, OpenSSL, and a lack of cooperation 

Hi,

this was the best write-up on the subject I read in the past few days. Many thanks. 

I for one think that my subscription money is well spent when I read this articles, clearly
stating 
each side position.

I would encourage you to open this article sooner to the wide public, so that we can spread
the link.

Best regards,

(Log in to post comments)

Debian, OpenSSL, and a lack of cooperation

Posted May 22, 2008 6:10 UTC (Thu) by ketilmalde (guest, #18719) [Link]

The second best writeup. The best one is definitely the one at xkcd.

Debian, OpenSSL, and a lack of cooperation

Posted Mar 23, 2011 5:31 UTC (Wed) by cce_ (guest, #73808) [Link]

There's a much better technical writeup of exactly what Kurt Roeckx got wrong by Gergely Risko. He didn't just comment out a couple of lines because they told him it was okay.

He ignored working -DPURIFY #ifdefs (and advice that they worked, and to use them) that could've easily solved his problem. Then he commented out code that weren't part of his problem (and weren't surrounded by #ifdef PURIFY, a clear signal that it was a dicey idea) out of sheer ignorance.

The guy had no idea what the code he was editing actually DID, and had no business editing OpenSSL without telling anyone. He notified no one on the OpenSSL list that he was about to commit changes that would affect the security of millions of computers.

Read the thread yourself; they gave him good advice (try -DPURIFY) and he ignored it, then never followed up to show them the patch he recklessly committed. The level of negligence and hubris he showed is nearly criminal.

And even worse, Debian never kicked him off his position maintaining OpenSSL; he continues to maintain it today. In 2009 he was appointed Debian Secretary and he was re-appointed in February 2011. Is this how Debian rewards incompetence? I suppose he meant well.

Debian, OpenSSL, and a lack of cooperation

Posted Apr 20, 2011 9:43 UTC (Wed) by nix (subscriber, #2304) [Link]

Wow. Thy cup of bitterness runneth over?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds