

Lessons from the Debian/OpenSSL Fiasco - luckystrike
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html

======
tptacek
Provide as many tips and rules of thumb as you want. Sometimes, it's safe to
modify code you don't understand. And then, those tips will help. But that all
goes out the window when it comes to security code. If you don't understand
security code, don't mess with it.

------
ComputerGuru
Excellent points here, especially the bits about the rationale behind patching
major packages when maintainers should be taking the extra time to submit
patches upstream instead.

