The Debian OpenSSL disaster
Unfortunately, it is much cheaper in the short term simply to treat the most damaging symptoms of bad software engineering than it is to address the underlying problems and causes. However, in the long run, this leads to huge amounts of time spent by end users applying patches and updates and developers needing to address the same problems repeatedly.
The good news is that many of the solutions to these problems are not that expensive, and most require little if any technology to implement.
Simply commenting code, documenting communications channels, and asking questions clearly – with as much context as possible – will go a long way. Also, it's important to remember that open source isn't just about access to source code, but access to the very culture that writes the source code, which means everyone has the chance to help make it that much better.
- DSA-1571-1 openssl: http://www.debian.org/security/2008/dsa-1571
- Key rollover: http://www.debian.org/security/key-rollover/
- SSLkeys: http://wiki.debian.org/SSLkeys
- OpenSSL bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
Buy this article as PDF
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.