May 14, 2008
Where's the Open?
Ok, so it seems that the whirlwind on OpenSSL has settled down a bit. Posts about it are coming from everywhere, ranging from rants on package maintenance to blame-pointing on both upstream and packager sides. And, of course, Slashdot.
Where does all this leave the end user with? Well, probably not much except to
regenerate weak SSH keys with the new openssh-server (now enhanced with
openssh-blacklist, see the new advisory) and hope to $DEITY all gets
well soon. And maybe, just maybe, a minor suspicion that other Debian-packaged
software may be "tainted" with a similar blemish (that being having patches
that are supposed to fix something, applied with upstream's blessing, and yet
not really audited enough to ensure functionality AND security of the
system is maintained.)
Obviously, there's going to be some adjustments to be made on the Debian side.
But I do hope to $DEITY that major revamps ought to happen on the OpenSSL side
as well, in particular on clarifying their public channels to reaching upstream
developers (read: publish openssl-team@openssl.org in a legitimate way, being
the legitimate upstream contact endpoint it is,) and keeping a closer eye on
the vendors who package their software (yeah, it may not be an obligation at
all for OpenSSL, but heck, their vendors are users, too!) Upstream may be
free not to partake on a social contract like Debian's, but it shouldn't
escape from them the fact that vendors nevertheless aggregate continuing and
potential users (aside from being users themselves) for their benefit.
More importantly though, is that delivering FOSS is a community effort. Sure, its easy to put blame now, but in the end, the blame isn't as important as the real cause and effects of the problem/bug/issue are. Better to move on and work together towards a real fix, rather than the bickering that currently passes as FOSS entertainment.
Tags: community, debian, linux, openssh, openssl. | Posted at: 11:31 | 2 Comments/Trackbacks.