|
|
|
|
|
|
by amiga386
14 hours ago
|
|
|
Agreed, but you also have to look at it from a packager's point of view. Here is the actual patch: https://salsa.debian.org/debian/openssl/-/commit/8f27a7dc022... Notice how clean and small a patch it is? (ignore that, in making it clean and small, it has "chopped off the entire axle" as you say) And here's what led to making that patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 These links contain specific people's names, but the important thing is not to blame those people specifically, because this failure came from the whole Debian community and its values. A community that eagerly went looking for, e.g. valgrind correctness. A community that thought it knew better than upstream, and didn't check their changes with them. A community that values neat patches that close bugs, without thinking of the wider ramifications. The community has learnt a lot of lessons since 2008, and is now much more aware of how packager meddling could cause security flaws. (You could also single out the OpenSSL developers for their faults too, but this particular error was on Debian) |
|
|
It is my recollection that they both tried to run it by upstream, and believed that they had successfully done so. That may still be an error, but not the kind of fundamental flaw you imply.