The Debian/Ubuntu SSL bug
Mark J Cox
mjc at redhat.com
Tue May 13 18:57:37 UTC 2008
> The thing I find amazing about this bug is that it took 2 years for someone
> to notice it. I think in part this is due to the size of debian making it
> pretty much impossible for someone to review every change that goes in.
In this case it's also a little to do with the complexity of the issue, it
was in fact proposed by the vendor to the upstream project development
list and no one really noticed it would have a bad side-effect:
http://marc.info/?m=114651085826293&w=2
> Something the SuSE guys have done which I'm thinking we should adopt for our
> patches (in the kernel at least), is a header at the top of each patch
> detailing its upstream status, (and if not upstream, why not).
Yeah, this should be enforced. We ought to be including signatures for
the pristine upstream tarballs in the srpms too (where upstream signs
their output). At least we then can know for certain what has been
touched outside of upstream.
Cheers, Mark
More information about the advisory-board
mailing list