Re: [tlug] Debian OpenSSL critical security bug

[Curt Sampson <cjs@example.com>]

On 2008-05-14 07:52 +0900 (Wed), Josh Glover wrote:

> The lesson here is that distros should not add patches to upstream
> sources that made fundamental changes.

Actually, the lesson is that distros shouldn't touch security-related
code at all, and possibly also expand their definition of what is
"security-related" to include everything in the random-number generation
chain, among other things.

I strongly suspect that this change appeared to the Debian maintainers
not to be any kind of fundemental change. In the security world, it can
be very hard to tell what is and isn't fundemental; remember the story
about the NSA's changes to the S-box arrangement of the DES algorithm.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974   
Mobile sites and software consulting: http://www.starling-software.com