[linux-elitists] Surveillance

Eugen Leitl eugen at leitl.org
Wed Sep 11 01:54:55 PDT 2013


On Tue, Sep 10, 2013 at 01:07:47PM -0700, Rick Moen wrote:
> Quoting Eugen Leitl (eugen at leitl.org):
> 
> > Consider all the crypto-related fubars in Debian.  So far I chalked
> > that up to incompetence, but now I do wonder. It would be good to do
> > some forensics on the checkins that caused the regressions, and
> > identify the culprits.  
> 
> In the case of the much-ballyhooed inadvertent sabotaging of the RNG in
> the Debian/Ubuntu OpenSSL package[1], I think many commentators don't
> sufficiently appreciate just how bad the spaghetti-code problem in
> upstream OpenSSL is.  Those who ascribe malice to Kurt Roeckx for his

OpenSSL does look unfixable. I hear a lot of good things about
http://nacl.cr.yp.to/
Unfortuntunately, the "no license: public domain" bit will be a
deal-breaker to many.

> good-faith effort to fix truly messed-up C code are being, IMO, a bit
> idiotic and are missing the real problem entirely.  
> 
> [1] http://lwn.net/Articles/282038/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://zgp.org/pipermail/linux-elitists/attachments/20130911/79f62d53/attachment.sig>


More information about the linux-elitists mailing list