May 14, 2008

Where's the Open?

Ok, so it seems that the whirlwind on OpenSSL has settled down a bit. Posts about it are coming from everywhere, ranging from rants on package maintenance to blame-pointing on both upstream and packager sides. And, of course, Slashdot.

Where does all this leave the end user with? Well, probably not much except to regenerate weak SSH keys with the new openssh-server (now enhanced with openssh-blacklist, see the new advisory) and hope to $DEITY all gets well soon. And maybe, just maybe, a minor suspicion that other Debian-packaged software may be "tainted" with a similar blemish (that being having patches that are supposed to fix something, applied with upstream's blessing, and yet not really audited enough to ensure functionality AND security of the system is maintained.)

Obviously, there's going to be some adjustments to be made on the Debian side. But I do hope to $DEITY that major revamps ought to happen on the OpenSSL side as well, in particular on clarifying their public channels to reaching upstream developers (read: publish openssl-team@openssl.org in a legitimate way, being the legitimate upstream contact endpoint it is,) and keeping a closer eye on the vendors who package their software (yeah, it may not be an obligation at all for OpenSSL, but heck, their vendors are users, too!) Upstream may be free not to partake on a social contract like Debian's, but it shouldn't escape from them the fact that vendors nevertheless aggregate continuing and potential users (aside from being users themselves) for their benefit.

More importantly though, is that delivering FOSS is a community effort. Sure, its easy to put blame now, but in the end, the blame isn't as important as the real cause and effects of the problem/bug/issue are. Better to move on and work together towards a real fix, rather than the bickering that currently passes as FOSS entertainment.

Tags: , , , , . | Posted at: 19:31 | 2 Comments/Trackbacks.

timri wrote at 2008-05-16 20:46:

"patches that are supposed to fix something, applied with upstream's blessing" Upstream was never sent a patch.

Zak Elep wrote at 2008-05-16 22:10:

@timri: right, in the preceding situation the Debian maintainer only asked for input regarding his query, never sent a patch; that was bad indeed. Thanks for pointing that out!

I'm still quite concerned though, if there are other packaged software that have Debian patches that are upstream-approved yet not adequately reviewed by both sides. Being a maintainer myself, I'm compelled to do a review of my own packages with patches and to improve where necessary.

Leave a Comment

Name:
URL (optional):
Comments:

URL for TrackBack pings: http://blog.zakame.net/news/wheres-the-open/trackback

About

Ubuntu member, Perl hacker, Debian maintainer, UPOU student, and more...

Feeds

Tags

, , , , , , , , , , , , , , , , , ,

Recent Posts

Blosxom Plugins

Plugins used here:

  • extensionless
  • flavourpathinfo
  • metaclear
  • metamail
  • recententries
  • tags
  • entries_timestamp
  • storydate
  • permalink
  • whoami
  • Markdown
  • absolute
  • emptymessage
  • feedback
  • plugin_list
  • storytags
  • storytitle
  • tagcloud
  • theme
  • xml_ping_generic
  • atomfeed
  • rss20
  • moreentries

Copyright

Copyright © 2008 Zak B. Elep

Verbatim copying and redistribution of this entire page are permitted provided this notice is preserved.

Powered By

Monitored By