TAG | Debian shows how security snafu should be handled |
|
| by Sam Varghese | |
| Friday, 30 May 2008 | |
|
Page 1 of 3 No matter the amount of pain caused by the OpenSSL bug which surfaced in the Debian GNU/Linux distribution earlier this month due to a developer's error two years ago, one has to hand it to the project for its reaction to what is the worst security snafu in the 15 years of its existence. The advisory about the bug did not try to minimise the seriousness of the situation, neither did it try to spin regarding the cause. It was an old-fashioned geek advisory which set out things as they were. Florian Weimer, who issued the advisory, did not mince words. And the advisory came after a fix was in place, after tools for testing were on offer. In short, it was a well-organised affair. Then there was the reaction of Debian project leader Steve McIntyre. The man did not try to duck when iTWire contacted him. He was nothing if not straightforward. "The OpenSSL bug was an unfortunate mistake by one of our developers that has led to quite a lot of pain for many people, both inside our development community and elsewhere. For that, we must apologise and promise to do better in future," McIntyre said. "There is a lot of discussion ongoing on our main development channels right now while we thrash out ways to improve our processes. We want to get more code review, both internally in Debian and with our upstream developers." He added: "One of our strengths, and one of the reasons why our users tell us that they like and trust us so much, is that we don't try to hide our problems. We'll learn from the mistakes made here and, I hope, regain some of the trust we have lost." |
| < Next story in category | Previous story in the category > |
|---|
