

Julian Assange: Debian Is Owned By The NSA - tachion
http://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/

======
rainmaking
I missed a coherent logical thread to follow in this article.

~~~
jmillikin
I wouldn't say you "missed" it, Bob.

~~~
001sky
[https://news.ycombinator.com/item?id=7565195#up_7565557](https://news.ycombinator.com/item?id=7565195#up_7565557)

Already discussed + Killed

------
lamby
> which was clearly sabotaged – a known fact

Tell me more.

~~~
hga
No, not at all, it's an inevitable result of Debian's conceit of "fixing"
upstream source trees.

An ... I hesitate to call him an engineer ... used one of the standard lint
tools or GCC or whatever on OpenSSL I think it was, and noticed the use of an
uninitialized variable. This was deliberate, it was added to the entropy the
program was using; might not be too random, but "it couldn't hurt".

So he communicated with them, and they told him it was OK to eliminate it.
Without further talking to them, he also eliminated akin bit where the serious
entropy was added, so for years Debian generated trivially breakable keys.

It'll be a while before anyone can judge if this or "Heartbleed" is the worse
open-source security screwup, but until the latter just developed I certainly
rated it as #1.

However this is the first time I've heard it alleged it was sabotage; it could
have been, disguised as stupidity, but that it was " _clearly sabotaged – a
known fact_ " is utterly false at this time.

------
jlgaddis
Flagging this because of the rampant speculation and conspiracy theories
disguised as "known fact".

