On Tue, 13 May 2008 12:10:16 -0400 "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote:
> Ben's points are well taken, but there is one *small* piece of this > where I have some sympathy for the Debian folks: > > > What can we learn from this? Firstly, vendors should not be fixing > > problems (or, really, anything) in open source packages by patching > > them locally - they should contribute their patches upstream to the > > package maintainers. > > The response times from package maintainers -- even the good ones like > the OpenSSL team -- are not always fast enough. Sometimes, vendors > don't have a choice. There is a catch-22 on both sides of this coin. > I was going to post something similar. I maintain several pkgsrc packages (http://www.pkgsrc.org); while most upstream maintainers are happy to receive bug fixes, others range from indifferent to downright hostile. For example, I once reported a portability bug to a developer: POSIX standards *require* that a certain system call reject out-of-range arguments, and NetBSD enforces that check. The Linux kernel (or rather, the kernel of that time; I haven't rechecked lately) did not. Fine -- a minor standards issue with Linux. But the application I was adding to pkgsrc relied on the Linux behavior and the developer angrily rejected my fix -- the standard was "stupid", and he saw no reason to change his code to conform. Usually, though, indifference is a bigger problem. The NetBSD internal developers' mailing list has seen numerous complaints about *major* package developers ignoring portability and correctness fixes. If it isn't Linux and it isn't Windows, it doesn't matter, it seems. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]