Hi foss, The Debian policy (4.3 Changes to the upstream sources) gives absolute right to change but also tells that patches should be sent to the upstream authors in whatever the maintainer prefer! It doesn't specify that the patches should be sync only if changes are accepted by mainstream author. In this (now infamous OpenSSL) vulnerable changes were sent and only been in limited discussin with upsream. According to Debian Wiki, The openssl team didn't raised any objection on the change but in reality it was not really accepted officially. It was just a workaround to supress valgrind warnings.
I was shocked for the sake of valgrind annoying msg (whatever debian tells you good about work around i don't care!) why they came up such stupid idea to change the md_rand.c. Why someone dare to change things which they really don't know what they are doing for? The PRNG in Debian's openssl package is predictable and its a serious threat for all the debian or debian derive distros. The changes made on May 6th, 2006 and God knows there is 0-days exploits ready? -- Sarose On May 15, 1:19 pm, "nepbabu.cx" <[EMAIL PROTECTED]> wrote: > Folks, FYI > 1)http://it.slashdot.org/comments.pl?sid=551636&cid=233926022)http://wiki.debian.org/SSLkeys > > cheers --~--~---------~--~----~------------~-------~--~----~ FOSS Nepal mailing list: [email protected] http://groups.google.com/group/foss-nepal To unsubscribe, e-mail: [EMAIL PROTECTED] Community website: http://www.fossnepal.org/ -~----------~----~----~----~------~----~------~--~---
