| hello, as always: imho (!) i remember this incident - if my memory doesn't trick me: it was openssl which accessed memory it didn't allocated to collect randomness / entropy for key-generation. and valgrind complained about a possible memory-leak - its a profiling-tool with the focus on detecting memory-mgmt problems. * https://valgrind.org/ instead of taking a closer look / trying to understand what exactly went on there / causes the problem, the maintainer simply commented out / disabled those accesses... mistakes happen, but the debian-community handled this problem very well - as in my impression they always do and did. idk ... i prefere the open and community-driven approach from debian anytime over distributions which are associated to companies. last but not least, the have a social contract. long story short: at least for me this was an argument for the debian gnu/linux distribution, not against :)) just my 0.02€ |
It’s doubly important to upstream issues for security libraries: There are numerous examples of bad actors intentionally sabotaging crypto implementations. They always make it look like an honest mistake.
For all we know, prior or future debian maintainers of that package are working for some three letter agency. Such changes should be against debian policy.