On Tue, May 27, 2008 at 3:33 PM, Julie [email protected] wrote:
As a noob to Linux I found these articles somewhat "interesting":
-->Not Invented Here has no place in open source development IT Security TechRepublic.com
http://blogs.techrepublic.com.com/security/?p=460&tag=nl.e036
-->Detect and replace vulnerable SSH keys on Debian IT Security TechRepublic.com
http://blogs.techrepublic.com.com/security/?p=459&tag=nl.e036
wahdooya'l think? Jus' curyuss........
I think it's silly what little effort it takes to call yourself a tech Journalist these days. He paints in broad strokes a bit with the traditional anti-patterns identified in corporate development. Debian developers did get in touch with upstream OpenSSL, despite OpenSSL's best efforts to hide. A member of the core team did get in touch, and suggested "if it makes debugging easier, I'm all for it". Since it wasn't the main list, few other developers saw it, and the Debian developer pushed the patch out. Upstream even agrees today with half of the patch in Debian, but the other half is clearly the wrong fix. Rather than remove the access to uninitialized memory, the reasonable thing seems be to initialize it.
And the other example, I don't know as much about, but I do know that often one works around bugs in OSX simply because you have to. What's even crazier is when they change functionality in a major release, placing the burden on you to stop supporting older releases (the article's "right way") or forever carry a version #ifdef for the workaround.
Calling this "NIH" is downright stupid and contradictory to everything Debian does. NIH is about rewriting everything from scratch because obviously anyone not in the organization is an idiot and can't be trusted. Here we had a developer who noticed something, created a fix, and failed to get enough eyes at it when he went looking for it. I think the important lesson here, and one Debian could do well to memorize, is to make sure your development process is open and accessible.
Justin