[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

Mon May 19 14:40:52 UTC 2008
Daniel de Kok <me at danieldk.org>

On Mon, May 19, 2008 at 3:53 PM, Johnny Hughes <johnny at centos.org> wrote:
> Les Mikesell wrote:
>> Does anyone know the point of the patch in the first place?  That is, why
>> would a distro-specific modification have been needed at all?  I don't
>> suspect an intentional compromise here but I'm curious about why anyone
>> would consider a non-standard change.
>>
>
> The change was added due to valgrind testing of openssh and warnings
> produced while compiling.
>
> The removal was discussed on the openssh-devel list.
>
> If was clearly an accident caused by trying to do the right thing.

And a miscommunication, it seems that the OpenSSL developers the patch
was just used for debugging purposes, while the Debian packages
understood it as a confirmation that the patch was ok.

Errors do happen, even to the brightest of all developers. Though,
most bugs do not have such  far-reaching consequences. The best thing
is to learn from it, and to move on.

Take care,
Daniel