The Debian OpenSSL disaster
Unfortunately, it is much cheaper in the short term simply to treat the most damaging symptoms of bad software engineering than it is to address the underlying problems and causes. However, in the long run, this leads to huge amounts of time spent by end users applying patches and updates and developers needing to address the same problems repeatedly.
The good news is that many of the solutions to these problems are not that expensive, and most require little if any technology to implement.
Simply commenting code, documenting communications channels, and asking questions clearly – with as much context as possible – will go a long way. Also, it's important to remember that open source isn't just about access to source code, but access to the very culture that writes the source code, which means everyone has the chance to help make it that much better.
- DSA-1571-1 openssl: http://www.debian.org/security/2008/dsa-1571
- Key rollover: http://www.debian.org/security/key-rollover/
- SSLkeys: http://wiki.debian.org/SSLkeys
- OpenSSL bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
Buy this article as PDF
The bug was introduced back in 2009 and has been lurking around all this time.
The new release deprecates the sshd_config UsePrivilegeSeparation option.
Lives on as a community project
Five new systems join Dell XPS 13 Developer Edition that come with Ubuntu pre-installed.
The Skype Linux client now has almost the same capabilities that it enjoys on other platforms.
At CeBIT 2017, OpenStack Day will offer a wide range of lectures and discussions.
A major setback for the Linux desktop.
Improved support for GPU in virtualization.
News site for the openSUSE community falls victim to a Wordpress exploit.
The source code is available online.