[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability
Daniel de Kok
me at danieldk.org
Mon May 19 14:40:52 UTC 2008
On Mon, May 19, 2008 at 3:53 PM, Johnny Hughes <johnny at centos.org> wrote:
> Les Mikesell wrote:
>> Does anyone know the point of the patch in the first place? That is, why
>> would a distro-specific modification have been needed at all? I don't
>> suspect an intentional compromise here but I'm curious about why anyone
>> would consider a non-standard change.
>>
>
> The change was added due to valgrind testing of openssh and warnings
> produced while compiling.
>
> The removal was discussed on the openssh-devel list.
>
> If was clearly an accident caused by trying to do the right thing.
And a miscommunication, it seems that the OpenSSL developers the patch
was just used for debugging purposes, while the Debian packages
understood it as a confirmation that the patch was ok.
Errors do happen, even to the brightest of all developers. Though,
most bugs do not have such far-reaching consequences. The best thing
is to learn from it, and to move on.
Take care,
Daniel
More information about the CentOS
mailing list