[bombolo]

Every time this gets brought up, people forget that the patch had been sent to the openssl mailing list and someone said that it looked fine.

But here we have all the proponents of "distributions should never do any patch (and thus leave all the security issues open)". But they live in a fantasy world where all upstream authors reply within 3 minutes, fix issues within 30 minutes and of course backport the fix.

[xorcist]

Also, after it blew up people said "why did you mail to -dev? That's where users post to and nobody has time with that, we have a special wizards list where the devs hang out".

Which says a lot. With better communication, from everyone involved, this wouldn't have happened the way it did.

[nullc]

the doubly weird thing is that OpenSSL already had a ifdef-- -DPURIFY -- that did what the packager desired.

[xorcist]

Did it have the same security problem?

[nullc]

Nope, it is the thing the debian developer intended, without introducing any problems-- and was at the time. It's a bit opaquely named (it's named after an earlier tool, 'purify' that protested some of the same things valgrind did) which is presumably why the debian developer was unaware of it.

I believe most distros ship with it on these days because without it you can't really use valgrind on programs that use openssl. (Suppressions don't really work because the uninitialized data taints all downstream users of openssl randomness)