Gilles Chanteperdrix wrote:
> the way Debian maintained a patch to the ssh package is the
> reason why a bug could remain unnoticed during two years in Debian
> distributions, including so-called "stable" distributions. So, maybe it
> is time for a change.

First, it doesn't matter most how you maintain a patch. Most important
is that sufficient code review is done, which unfortunately didn't
happen in the libssl case.

Second, the actual libssl patch in .diff.gz was the following:

diff -u openssl-0.9.8g/crypto/rand/md_rand.c
--- openssl-0.9.8g/crypto/rand/md_rand.c
+++ openssl-0.9.8g/crypto/rand/md_rand.c
@@ -271,7 +271,10 @@

+ * Don't add uninitialised data.
                MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));

I.e. quite clear in my opinion. It wouldn't be if Debian wouldn't ship
.diff.gz separately. (The above patch was actually reported upstream and
there was no objection.)

Third, the above case is different from our case: While I consider
debian/* as Debian specific, the above patch was not Debian specific (it
was actually introduced to ease valgrind usage). Therefore, I even
consider the libssl patch style (not the semantics! :-) ) above as good;
but patching debian/* in Debian's diff.gz as bad.

Fourth, you are proposing the same patching technique as above (which
you criticize as not appropriate).

> But of course, if you insist, this probably can be worked around by
> writing some merging script.

Yeah, maybe this is the way to go. Easy to implement and minimizes the
work for all participants.


Xenomai-core mailing list

Reply via email to