Quoting Toby Corkindale ([email protected]): > Or the Debian maintainers could just "inadvertently" introduce the > code themselves and no-one would notice for two years. > http://article.gmane.org/gmane.linux.debian.security.announce/1614
I'll cite my prior mailing list posts from elsewhere, to save time. (Please pardon the mild scatological reference.) Date: Tue, 10 Sep 2013 18:02:14 -0700 From: Rick Moen <[email protected]> To: [email protected] Subject: Re: [Pigdog] spock attack on civilization Organization: If you lived here, you'd be $HOME already. X-Mas: Bah humbug. Quoting Trevor Johnson ([email protected]): > Rick Moen wrote: > > >Suborning corporate crypto was a pretty obvious step, I'd say. > > Let's not forget CVE-2008-0166, a backdoor in Debian/Ubuntu that remained > undiscovered for 20 months. Fun slideware: > https://trailofbits.files.wordpress.com/2008/07/hope-08-openssl.pdf Kurt Roeckx's good-faith effort to fix OpenSSL RNG spaghetti code[1] was not 'a trapdoor', but rather an unsuccessful effort to polish the turd that is OpenSSL. > I found this message interesting: > http://www.mail-archive.com/[email protected]/msg04439.html Well, yeah. That whole thread is spot-on. [1] http://www.peereboom.us/assl/assl/html/openssl.html Date: Tue, 10 Sep 2013 13:07:47 -0700 From: Rick Moen <[email protected]> To: [email protected] Subject: Re: [linux-elitists] Surveillance Organization: If you lived here, you'd be $HOME already. X-Mas: Bah humbug. Quoting Eugen Leitl ([email protected]): > Consider all the crypto-related fubars in Debian. So far I chalked > that up to incompetence, but now I do wonder. It would be good to do > some forensics on the checkins that caused the regressions, and > identify the culprits. In the case of the much-ballyhooed inadvertent sabotaging of the RNG in the Debian/Ubuntu OpenSSL package[1], I think many commentators don't sufficiently appreciate just how bad the spaghetti-code problem in upstream OpenSSL is. Those who ascribe malice to Kurt Roeckx for his good-faith effort to fix truly messed-up C code are being, IMO, a bit idiotic and are missing the real problem entirely. [1] http://lwn.net/Articles/282038/ _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
