The Debian/Ubuntu SSL bug
Stephen John Smoogen
smooge at gmail.com
Tue May 13 19:04:11 UTC 2008
On Tue, May 13, 2008 at 12:45 PM, Greg DeKoenigsberg <gdk at redhat.com> wrote:
>
> So I've been having a conversation with Mark Cox about the Debian/Ubuntu
> SSL bug. This is basically a horror story of what can go wrong when
> packagers don't maintain close relationships with upstream. I asked Mark,
> "what security policies do we have in place to keep this from happening in
> Fedora-land?" And his response was, "I don't know, what security policies
> do we have in place to keep this from happening in Fedora-land?"
>
> We know that RHEL is secure and stable, and we *do* have safeguards in
> place to prevent this from happening in RHEL-land. But a mistake like this
> in Fedora-land would be every bit as bad for the Red Hat and Fedora brands.
>
> Are there any steps we can take to protect ourselves from this kind of
> mistake -- in which a packager does something dumb to the package and no one
> notices it?
>
Well the biggest step would be to add additional code review steps for
packages... and probably trying to increase the number of
'code-monkeys' per package. However, I am not sure that is the best
step... especially to the crowd that believes Fedora is too
bureaucratic now.
Would having a review release, where instead of trying to put in
things as newer we worked on getting more eyes on the code make sense?
How could it be done?
Also, how many times does a patch get added because someone saw it in
the 'Debian' or 'SuSE' trees and it looked like it 'fixed' something?
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the fedora-advisory-board
mailing list