[Klug-general] SSL bug

J D Freeman klug at quixotic.org.uk
Thu May 22 12:54:52 BST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 22, 2008 at 07:35:02AM -0400, Karl Lattimer wrote:
> 
> Lol, firstly, distributions suffer from security bugs. This is currently
> being described in the security community "The biggest security flaw in
> history", this bug is a cryptographic bug, that's major, its not as simple
> as a package update, it extends and perpetuates from debian. This isn't a
> flaw, this is a MAJOR ISSUE!

I think you are overplaying it. Yes its an annoyance, yes I have had to
sit down and regen keys on a large number of machines. But, it could
have come from anywhere. How often has this sort of thing effected all
distro's when its come from say openssh introducing the bug. Yes this
has happened, yes its annoying. Don't think its the worst bug on the
planet like you are making it out to be.

> I'd like to know exactly how debian were quick to fix it, the ripples of
> this issue are still going now, debian don't have the money to pay for the
> trouble they've caused! This issue isn't fixed yet, debian can't fix the
> trouble they've caused, releasing a patch doesn't fix it, it prevents
> further problems.

Why do they need to pay for the "trouble"? How much did you pay for your
debian software? Have you not read the default MOTD? 

For clarification:

The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

If you wanted a warranty, go use windows and be subject to the
numerous security flaws in that. See how much money you get from MS to
fix all those bugs.

> Don't try to down play it, or try to be the "bigger person" after all of
> the zealotry over debian you've extolled to me and others in the past.

Why? I see no need to be pulled into some pointless slagging match. You
were onto a loser the moment you decided to be rude and offensive. I see
no need to stoop to that level.

> Its time to put your tail between your legs, and say... EPIC FAIL.

No, its now time to rally round behind debian, to offer them the support
they need to be able to continue the good work they have done, and put
in place measures to make sure that this sort of thing doesn't happen
again.

This is one of the reasons I am a sponsor of debian.

> btw, this isn't about winning or loosing, my ssh keys were vulnerable
> because of umbongo therefore I lost, I just wanted to rub your face in all
> of your past comments re debian.

Thats fine, you are more than welcome to have your oppinion, and for you
to express it how you wish. I do however repeat my previous point, and
that made by others that you should perhaps do so politely and without
needing to resort to rudeness and offensiveness.

Julia
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFINV8L42M0lILkmGIRAtuaAKCxDbm0C3kHv/8l7eOWb+uL/MbluQCfV6Dr
8zKW0D6rIJ2Z9nAoMF0tBjc=
=MW8a
-----END PGP SIGNATURE-----



More information about the Kent mailing list