|

It’s prob­a­bly worth not­ing at this point that there are a few lessons to the debian OpenSSL débâcle:

1. There is now a corol­lary to “do not write your own cryp­to­graphic rou­tines”: “do not fix bugs in some­one else’s cryp­to­graphic rou­tines.” If there is a anno­tated view of the OpenSSL tree (I don’t know/don’t care), the DD who patched OpenSSL would have been bet­ter off con­tact­ing the per­son who wrote the offend­ing line in the orig­i­nal source than try­ing to find the cor­rect channel.
2. Developers must pub­lish cor­rect infor­ma­tion on how to con­tact them. Incorrect infor­ma­tion on the OpenSSL web­site main­te­nance is just as much to blame for this as the DD in ques­tion, who did ask the sug­gested chan­nels about his patch.
3. Distros should have peer review of patches in security-critical code — by expe­ri­enced devel­op­ers — if they do not already.
4. Rather than all the bitch­ing, remem­ber that the cen­tral tenet of F/LOSS is Fix It Yourself. This does not cease to apply sim­ply because the prob­lem exists in some­thing you depend on. If any­thing, it should empha­size how nec­es­sary it is.