[Klug-general] SSL bug

Karl Lattimer karl at qdh.org.uk
Fri May 23 15:00:59 BST 2008 



On Fri, 23 May 2008 13:41:35 +0000, Andy Smith <andy at lug.org.uk> wrote:
> Hi,
> 
> On Fri, May 23, 2008 at 08:28:30AM +0300, Karl Lattimer wrote:
>> Just because you still put your faith in something like that doesn't
>> mean anyone with any sense will, big companies don't risk it. 
>> 
>> I can tell you now that I wouldn't buy a service from you, after you've
>> admitted you use debian. Do you advertise this fact?
> 
> lug.org.uk uses Debian on all but one virtual machine (which is
> legacy).  We have no plans to change this.  When are you
> unsubscribing?
> 
> BitFolk Ltd is proud to use only Debian to provide its services.  We
> also donate to the Debian project (via SPI and Debian UK).  We have
> no plans to change any of this.
> 
> My dayjob does not use Debian but we had to regenerate all of our
> keys anyway.  We are not particularly tied to any distribution
> choice (other than by history).  Very few of us sysadmins actually
> have the company's chosen distribution as our personal favourite
> distribution, and if we were already using Debian I doubt we would
> switch.
> 
> Also sooner or later something like this will happen to any
> distribution, or all at once (kernel).  To immediately jump ship
> seems like a rather knee-jerk reaction.  Yes it could certainly be
> justified if it turns out that Debian does not learn from this
> mistake.
> 
> You haven't answered my question in an earlier email about what you
> think the consequences will be for Debian within the next year.
> Should I assume that you think Debian is totally done for and will
> cease to exist or what?  It sounds like an alarmist thing to say but
> everything else you are saying is even more alarmist..
> 

Well lets see what happens, from what I hear, people have lost faith in it.
People are switching... If you want to maintain your use then that's up to
you, but at the risk of a bug like this re-occurring most companies
wouldn't go for it. From now on it'll be clearly labeled on a risk
assessment. Simply put you can't expect to maintain an enterprise market if
a bunch of volunteers do the work that should be done and maintained by
professionals. i.e. people who are paid and are accountable for their
actions.

K,

More information about the Kent mailing list