Why the hell do I care how hard it was for them to track down the OpenSSL developers?
This flaw was Debian's fault. They patched OpenSSL for no reason. Nobody complained about it. Nothing was broken. They ran valgrind --- awesome, but noisy --- on the tree and blindly started "fixing" problems.
This claim that they ran the change past the OpenSSL team before they committed it? Comical. To believe it, you have to believe that it is more likely that:
- The OpenSSL team reviewed a code change that commented out the randomness from their RNG, quite literally the most sensitive code in the whole package
than
- A part-time OpenSSL team member told a Debian developer that, while debugging, it would be fine for him to lose a line of code, not expecting that the Debian developer would then commit a change to their repo that commented out the OpenSSL RNG.
Stop wasting time pointing fingers, Debian. Fix the problem. You had no business editing OpenSSL; it is very hard to believe that your developer even read the code they changed. Promise us that from now on, you won't mess with security or crypto code.
Sure Debian made a mistake, and they shouldn't make changes that they don't understand the effects of, but an OpenSSL developer _did_ say it wouldn't be a problem.
Instead of passing the blame I would rather see the parties involved working on the underlying issues.
All due respect, but, did you read the rest of the mailing list, or, for that matter, my original comment? He didn't clear the change; he said it was fine for debugging, before other OpenSSL people corrected him.
There's no "problem" to fix here. Really! The problem is that Debian made an elective style-guide patch to OpenSSL based solely on Valgrind output. The "fix" to the problem is to back the patch out and make sure everyone's system is update.
The only underlying issue that needs to be fixed here is for Debian to never, ever independently modify OpenSSL (or any other crypto code) again. I think that's reasonable at this point. This is one of the worst crypto vulnerabilities I've ever seen, far worse than when OpenSSL and NSS broke RSA.
I agree this was Debian's fault, and there really is no excuse, but I found it amazing that there was essentially no way to contact the core OpenSSL team.
This flaw was Debian's fault. They patched OpenSSL for no reason. Nobody complained about it. Nothing was broken. They ran valgrind --- awesome, but noisy --- on the tree and blindly started "fixing" problems.
This claim that they ran the change past the OpenSSL team before they committed it? Comical. To believe it, you have to believe that it is more likely that:
- The OpenSSL team reviewed a code change that commented out the randomness from their RNG, quite literally the most sensitive code in the whole package
than
- A part-time OpenSSL team member told a Debian developer that, while debugging, it would be fine for him to lose a line of code, not expecting that the Debian developer would then commit a change to their repo that commented out the OpenSSL RNG.
Stop wasting time pointing fingers, Debian. Fix the problem. You had no business editing OpenSSL; it is very hard to believe that your developer even read the code they changed. Promise us that from now on, you won't mess with security or crypto code.