Impact of the Debian OpenSSL vulnerability [LWN.net]

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 22:17 UTC (Sat) by madscientist (subscriber, #16861)
Parent article: Impact of the Debian OpenSSL vulnerability

I agree there is plenty of blame to go around: the Debian maintainer needs to accept some (if
you're maintaining a software package that is used by virtually the entire (F/OSS) world to
secure its computers, it behooves you to proceed with the most extreme caution and
circumspection possible), and the OpenSSL folks do too (a secret cabal mailing list is the
only reliable way to contact developers?!?!  Come on, that's lame.)

But to me the fundamental mistake here is EXACTLY the same as the recent OpenSSH 4.9->5.0
issue: the lack of upstream forwarding of patches.  To my mind it's an intrinsic
responsibility of every single downstream maintainer to forward upstream every patch they make
and every bug they receive, unless they are provably ONLY applicable to the distro and not the
base software.  I don't care if the developers are grumpy or mean or never accept patches
anyway or whatever: you still have to forward every single one and work with them as best you
can.  That also includes identifying yourself as the package maintainer for a given distro in
EVERY correspondence with upstream and making it clear when proposed changes are intended to
go into the distro proper.

IMO, if you can't sign up for that amount of work then you're not the right person to be
maintaining the package.  Especially not one like OpenSSL!

So, although I'm sure he's a great guy and I don't blame him for introducing the bug (everyone
makes mistakes!), in this case I do personally feel forced lay the bulk of the responsibility
for the debacle at the Debian maintainer's feet---for not forwarding the patch or working
effectively with upstream developers.  That's not to say I don't understand what happened or
I'm not sympathetic, because I do and I am.

I just hope everyone who maintains a package can learn from these recent problems and make a
renewed commitment to upstream developers--maybe we can make an adjustment to the distro
maintainer responsibilities documentation for each distro.  It would be great if something
positive was achieved as a result of this.

(Log in to post comments)

Impact of the Debian OpenSSL vulnerability

Posted May 19, 2008 10:32 UTC (Mon) by dvdeug (subscriber, #10998) [Link]

But I think it a deep question; why is it the closely related group of OpenSSL and OpenSSH
developers who have this problem? Why is it that Debian developers can work hand in hand with
the developers on the X lists, on the GCC lists, on the kernel lists, but have trouble even
finding the OpenSSL list?

Impact of the Debian OpenSSL vulnerability

Posted May 19, 2008 20:12 UTC (Mon) by nix (subscriber, #2304) [Link]

*Are* they a closely-related group? I thought the similarity of names was 
coincidence: but the similarity in... insular development styles does seem 
like it's stretching coincidence a bit.

Impact of the Debian OpenSSL vulnerability

Posted May 20, 2008 1:05 UTC (Tue) by dvdeug (subscriber, #10998) [Link]

Oops... bad assumption. Apparently there's no direct connection between OpenSSL and OpenSSH;
Wikipedia states "Because of the prefix Open- on its name, OpenSSL is often associated with
OpenBSD; which distributes several programs using the naming style of Open*, like OpenSSH.
This is however a mistake as OpenSSL is developed completely outside of the scope of OpenBSD
by The OpenSSL Project".