
Tracking down the OpenSSL developers - cstejerean
http://advogato.org/person/branden/diary/5.html
======
tptacek
Why the hell do I care how hard it was for them to track down the OpenSSL
developers?

This flaw was Debian's fault. They patched OpenSSL for no reason. Nobody
complained about it. Nothing was broken. They ran valgrind --- awesome, but
noisy --- on the tree and blindly started "fixing" problems.

This claim that they ran the change past the OpenSSL team before they
committed it? Comical. To believe it, you have to believe that it is _more
likely_ that:

\- The OpenSSL team reviewed a code change that _commented out the randomness
from their RNG_ , quite literally the most sensitive code in the whole package

than

\- A part-time OpenSSL team member told a Debian developer that, while
debugging, it would be fine for him to lose a line of code, not expecting that
the Debian developer would then commit a change to their repo that _commented
out the OpenSSL RNG_.

Stop wasting time pointing fingers, Debian. Fix the problem. You had no
business editing OpenSSL; it is very hard to believe that your developer even
read the code they changed. Promise us that from now on, you won't mess with
security or crypto code.

~~~
jeroen
Have you read [http://marc.info/?l=openssl-
dev&m=114652287210110&w=...](http://marc.info/?l=openssl-
dev&m=114652287210110&w=2) ?

Sure Debian made a mistake, and they shouldn't make changes that they don't
understand the effects of, but an OpenSSL developer _did_ say it wouldn't be a
problem.

Instead of passing the blame I would rather see the parties involved working
on the underlying issues.

~~~
tptacek
All due respect, but, did you read the rest of the mailing list, or, for that
matter, my original comment? He _didn't_ clear the change; he said it was fine
for debugging, before other OpenSSL people corrected him.

There's no "problem" to fix here. Really! The problem is that Debian made an
elective style-guide patch to OpenSSL based solely on Valgrind output. The
"fix" to the problem is to back the patch out and make sure everyone's system
is update.

The only underlying issue that needs to be fixed here is for Debian to never,
ever independently modify OpenSSL (or any other crypto code) again. I think
that's reasonable at this point. This is one of the worst crypto
vulnerabilities I've ever seen, far worse than when OpenSSL and NSS broke RSA.

