[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: The Debian/Ubuntu SSL bug



The thing I find amazing about this bug is that it took 2 years for someone
to notice it.  I think in part this is due to the size of debian making it
pretty much impossible for someone to review every change that goes in.

In this case it's also a little to do with the complexity of the issue, it was in fact proposed by the vendor to the upstream project development list and no one really noticed it would have a bad side-effect:
http://marc.info/?m=114651085826293&w=2

Something the SuSE guys have done which I'm thinking we should adopt for our
patches (in the kernel at least), is a header at the top of each patch
detailing its upstream status, (and if not upstream, why not).

Yeah, this should be enforced. We ought to be including signatures for the pristine upstream tarballs in the srpms too (where upstream signs their output). At least we then can know for certain what has been touched outside of upstream.

Cheers, Mark


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]