Sam Varghese
Thursday, 29 May 2008 22:32
Opinion and Analysis
Page 1 of 3
When mistakes occur within a free software project what does the head of such a group do? Does he or she run and take cover, try to justify the error by blaming others, or stand up and take the heat with an honest admission of error?
No matter the amount of pain caused by the OpenSSL bug which surfaced in the Debian GNU/Linux distribution
earlier this month due to a developer's error two years ago, one has to hand it to the project for its reaction to what is the worst security snafu in the 15 years of its existence.
The advisory about the bug did not try to minimise the seriousness of the situation, neither did it try to spin regarding the cause. It was an old-fashioned geek advisory which set out things as they were. Florian Weimer, who issued the advisory, did not mince words. And the advisory came after a fix was in place, after tools for testing were on offer. In short, it was a well-organised affair.
Then there was the reaction of Debian project leader Steve McIntyre. The man did not try to duck when iTWire contacted him. He was nothing if not straightforward.
"The OpenSSL bug was an unfortunate mistake by one of our developers that has led to quite a lot of pain for many people, both inside our development community and elsewhere. For that, we must apologise and promise to do better in future," McIntyre said.
"There is a lot of discussion ongoing on our main development channels right now while we thrash out ways to improve our processes. We want to get more code review, both internally in Debian and with our upstream developers."
He added: "One of our strengths, and one of the reasons why our users tell us that they like and trust us so much, is that we don't try to hide our problems. We'll learn from the mistakes made here and, I hope, regain some of the trust we have lost."
