Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Debian Bug Leaves Private SSL/SSH Keys Guessable

narfbot Re:OSS, only as good as the last developer? (670 comments)

But the point here is that the freedom that OSS gives you does require you to trust the whole distribution chain. In this case there was an added muppet who did something they shouldn't have thus rendering everything downstream insecure. OSS is great but it required great developers, given that it has take well over a year to get the advisory out it shows that the many eyes piece didn't work here, mainly because the eyes were looking at the original source not the botched packaging job.
This is actually the number one reason I use slackware. Every package gets built by one guy. And if anything, it's easy to trust one guy. And he happens to be the one with the most experience at making packages. Not only that, his philosophy is to provide pristine packages from its source as far as possible. No worries of changes to these packages except critical bug fixes, and these are usually the kind that go upstream anyway.

Frankly, I'm not surprised that this occurred in Debian. I have seen how they package before. Usually that have the original source and one giant make-package-debian-centric diff file that would be insanely hard to audit -- correct me if I'm wrong -- at least for anyone outside debian or did not build the package in the first place.

more than 6 years ago


narfbot hasn't submitted any stories.


narfbot has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?