And how do you know if you understand the bug or not? The way Ben Laurie puts it, it's basically "trust us; we're smarter than you." The Debian maintainer asked openssl-dev if it was okay, and they said it was. There was obviously a failure to communicate, but I'd like a better answer then "treat OpenSSL like it's proprietary software". People make mistakes--all people. I've seen Debian take responsibility and try and fix things. I've seen the OpenSSL people blame Debian for having the gall to change free software, and for not communicating with a secret mailing list, with a large bit of whining about their poor resources. I haven't seen any statements from OpenSSL people saying "we will do this in the future to help distributions communicate with us and effectively fix bugs". People who take responsibility are hard to vilify; those who use a screwup they were involved in as an excuse to vilify others tend to get more blame. Probably a good thing.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds