On Mon, May 19, 2008 at 3:53 PM, Johnny Hughes johnny@centos.org wrote:
Les Mikesell wrote:
Does anyone know the point of the patch in the first place? That is, why would a distro-specific modification have been needed at all? I don't suspect an intentional compromise here but I'm curious about why anyone would consider a non-standard change.
The change was added due to valgrind testing of openssh and warnings produced while compiling.
The removal was discussed on the openssh-devel list.
If was clearly an accident caused by trying to do the right thing.
And a miscommunication, it seems that the OpenSSL developers the patch was just used for debugging purposes, while the Debian packages understood it as a confirmation that the patch was ok.
Errors do happen, even to the brightest of all developers. Though, most bugs do not have such far-reaching consequences. The best thing is to learn from it, and to move on.
Take care, Daniel