Warning this article may contain opinions of the author that you and iTWire don't agree with.
Visit the last page to have your say in our forum.

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

 read more
StumbleUponSubmit to redditShare this on TwitterShare on facebook | Print |PDF 

More From

Debian's worst nightmare - and how it came about

Sam Varghese
Thursday, 22 May 2008 22:30

Opinion and Analysis

Page 2 of 3

Moller's reply can be interpreted two ways - one, that this meant that an OpenSSL developer was okay with the change. A second school of thought, which includes long-term Debian developer Russell Coker, says that since Roeckx had begun his message by saying, " When debugging applications that make use of openssl using valgrind...", Moller may well have understood his (Roeckx's) reference to removal of code as meaning that the removal was only for the purpose of debugging and not as a final change.
Microsoft Office 365 Get your free Trial

There were three responses to Roeckx's post; apart from Moller, a second OpenSSL developer, Geoff Thorpe, suggested that compiling the package with the -DPURIFY option would remove the unnecessary warnings generated by valgrind.

It turns out that Roeckx had sent this message to the wrong mailing list - but nobody can blame him for doing so, for the OpenSSL website states that this list (openssl-dev) is for "Discussions on development of the OpenSSL library. Not for application development questions!"

A post by Ben Laurie (see comment 43), a member of the core OpenSSL team, stating that if Roeckx wanted to communicate with OpenSSL developers he should have sent his message to the openssl-team mailing list, would have had some merit if it had been indicated anywhere on the OpenSSL site that this (openssl-team) was the mailing list that would ensure communication with the OpenSSL developers.

As former Debian project leader, Branden Robinson, pointed out, nowhere, including in the OpenSSL package itself, is there any mention of the openssl-team mailing list as being the one which ensured communication with developers. In fact, there is no mention of the mailing list at all.

However, Laurie did point out one mistake made by the Debian project - that the changed OpenSSL package, which fixed the bug, was committed to a public repository on May 7, nearly a week before the advisory about the vulnerability was issued. As Laurie pointed out; "This gives alert attackers a big hint (and only one needs to take that hint) without warning defenders of the problem (all of whom have to know)."

Russell says this happens periodically when there are upstream issues and cross-distribution advisories are synchronised.

The appearance of a report on May 13 titled "Brute-Force SSH Server Attacks Surge" may not be unrelated to Laurie's comment.


Start 1 2 3 Next 

Sponsored Announcements

Websense #1 in Web Security Fourth Year in a Row

David Bass | For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…

You may have missed


Advertisement

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases