| |||||||||||
Impact of the Debian OpenSSL vulnerabilityImpact of the Debian OpenSSL vulnerabilityPosted May 17, 2008 2:29 UTC (Sat) by Miravlix (subscriber, #48437)In reply to: Impact of the Debian OpenSSL vulnerability by freethinker Parent article: Impact of the Debian OpenSSL vulnerability You could read the story. The problem is precisely that the many eyes wasn't used and a clueless guy decided to mess with code he didn't understand. Mistakes made here: 1: Coder without understanding the code messed with it. 2: Code wasn't applied so the "Many Eyes" concept was used to find the horrible flaw.
(Log in to post comments)
Impact of the Debian OpenSSL vulnerability Posted May 17, 2008 7:03 UTC (Sat) by BackSeat (subscriber, #1886) [Link] a clueless guy decided to mess with code he didn't understand.So what should this "clueless guy" do when he wants to make a change? He should have checked with the OpenSSL folk to ask if there was a problem in making the change. Which is exactly what he did. You may want to read the other LWN articles on this vulnerability: no one is saying that the Debian maintainer is innocent, but he certainly isn't the only one who should accept some responsibility for what happened.
Impact of the Debian OpenSSL vulnerability Posted May 18, 2008 16:11 UTC (Sun) by dvdeug (subscriber, #10998) [Link] Virtually all of the code that most people run comes from the distribution. If no one is looking at the distribution-local patches, then it is a failure of the many eyes concept. If the distributions aren't sending their patches upstream, or the upstream is actively hostile to the distributions, then it's a failure of the many eyes concept. Not that this would have got noticed in a proprietary system until many systems got hacked, but that's no excuse.
|
|||||||||||