LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Impact of the Debian OpenSSL vulnerability

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 1:32 UTC (Sat) by freethinker (guest, #4397)
Parent article: Impact of the Debian OpenSSL vulnerability 

I find it quite revealing that it took the "many eyes" supposedly possessed by the free
software community over a year and a half to notice such a serious bug - and this in Debian,
one of the most widely used distributions.

Time we buried the "many eyes" myth once and for all.

(Log in to post comments)

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 2:29 UTC (Sat) by Miravlix (subscriber, #48437) [Link]

You could read the story. The problem is precisely that the many eyes wasn't used and a clueless guy decided to mess with code he didn't understand. Mistakes made here: 1: Coder without understanding the code messed with it. 2: Code wasn't applied so the "Many Eyes" concept was used to find the horrible flaw.

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 7:03 UTC (Sat) by BackSeat (subscriber, #1886) [Link]

a clueless guy decided to mess with code he didn't understand.

So what should this "clueless guy" do when he wants to make a change? He should have checked with the OpenSSL folk to ask if there was a problem in making the change. Which is exactly what he did. You may want to read the other LWN articles on this vulnerability: no one is saying that the Debian maintainer is innocent, but he certainly isn't the only one who should accept some responsibility for what happened.

Impact of the Debian OpenSSL vulnerability

Posted May 18, 2008 16:11 UTC (Sun) by dvdeug (subscriber, #10998) [Link] 

Virtually all of the code that most people run comes from the distribution. If no one is
looking at the distribution-local patches, then it is a failure of the many eyes concept. If
the distributions aren't sending their patches upstream, or the upstream is actively hostile
to the distributions, then it's a failure of the many eyes concept. Not that this would have
got noticed in a proprietary system until many systems got hacked, but that's no excuse.

"Many Eyes" still wins

Posted May 17, 2008 8:11 UTC (Sat) by PO8 (guest, #41661) [Link] 

What makes you think this bug *ever* would have been found by anyone other than particularly
clever miscreants in a proprietary system?  There are few people looking for similar bugs in
closed SW, and even fewer that have any motivation to do anything other than conceal these
bugs when they find them.

As far as I know, this bug was finally found when Bello noticed a bad patch had been applied,
and was able to diagnose the resulting weakness by inspecting the source.  Other than that,
"many eyes" hasn't helped at all here...

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.