Interesting Reading?
Justin Dugger
jldugger at gmail.com
Thu May 29 01:03:54 CDT 2008
On Tue, May 27, 2008 at 3:33 PM, Julie <betelgeuse67stang at yahoo.com> wrote:
> As a noob to Linux I found these articles somewhat "interesting":
>
> -->Not Invented Here has no place in open source development IT Security
> TechRepublic.com
>
> http://blogs.techrepublic.com.com/security/?p=460&tag=nl.e036
>
> -->Detect and replace vulnerable SSH keys on Debian IT Security
> TechRepublic.com
>
> http://blogs.techrepublic.com.com/security/?p=459&tag=nl.e036
>
> wahdooya'l think? Jus' curyuss........
>
I think it's silly what little effort it takes to call yourself a tech
Journalist these days. He paints in broad strokes a bit with the
traditional anti-patterns identified in corporate development. Debian
developers did get in touch with upstream OpenSSL, despite OpenSSL's
best efforts to hide. A member of the core team did get in touch, and
suggested "if it makes debugging easier, I'm all for it". Since it
wasn't the main list, few other developers saw it, and the Debian
developer pushed the patch out. Upstream even agrees today with half
of the patch in Debian, but the other half is clearly the wrong fix.
Rather than remove the access to uninitialized memory, the reasonable
thing seems be to initialize it.
And the other example, I don't know as much about, but I do know that
often one works around bugs in OSX simply because you have to. What's
even crazier is when they change functionality in a major release,
placing the burden on you to stop supporting older releases (the
article's "right way") or forever carry a version #ifdef for the
workaround.
Calling this "NIH" is downright stupid and contradictory to everything
Debian does. NIH is about rewriting everything from scratch because
obviously anyone not in the organization is an idiot and can't be
trusted. Here we had a developer who noticed something, created a
fix, and failed to get enough eyes at it when he went looking for it.
I think the important lesson here, and one Debian could do well to
memorize, is to make sure your development process is open and
accessible.
Justin
More information about the Kclug
mailing list