Comments on: Open Source Software – a Chink in the Armour http://blog.simpleigh.com/2008/05/open-source-software-a-chink-in-the-armour/ Just another WordPress weblog Tue, 20 May 2008 10:56:10 +0000 hourly 1 http://wordpress.org/?v= By: Richard Smith http://blog.simpleigh.com/2008/05/open-source-software-a-chink-in-the-armour/comment-page-1/#comment-228 Richard Smith Tue, 20 May 2008 10:56:10 +0000 http://blog.simpleigh.com/2008/05/open-source-software-a-chink-in-the-armour/#comment-228 "Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was." Well, the error was introduced into Debian on 2nd May 2006 by Kurk Roeckx in this commit: http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141 The previous day, he posted an email to the openssl-dev list asking whether this patch would be sensible: http://marc.info/?l=openssl-dev&m=114651085826293&w=2 A few hours later, Ulf Möller responded that he was in favour of the patch. http://marc.info/?l=openssl-dev&m=114652287210110&w=2 According to the OpenSSL webpage, Ulf Möller is a member of the OpenSSL development team: http://openssl.org/about/ ... and has been for quite a some time http://web.archive.org/web/20000815074639/www.openssl.org/about/ I wonder whether the OpenSSL team are still "falling around laughing". “Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally – they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was.”

Well, the error was introduced into Debian on 2nd May 2006 by Kurk Roeckx in this commit:

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141

The previous day, he posted an email to the openssl-dev list asking whether this patch would be sensible:

http://marc.info/?l=openssl-dev&m=114651085826293&w=2

A few hours later, Ulf Möller responded that he was in favour of the patch.

http://marc.info/?l=openssl-dev&m=114652287210110&w=2

According to the OpenSSL webpage, Ulf Möller is a member of the OpenSSL development team:

http://openssl.org/about/

… and has been for quite a some time

http://web.archive.org/web/20000815074639/www.openssl.org/about/

I wonder whether the OpenSSL team are still “falling around laughing”.

]]>