It’s been a day since news emerged of the long-term issue with the Debian packaged openssl. As demonstrated by the feedback to Ben Laurie’s Blog entry, this is a very high profile issue with plenty of opposing points of view. Hardly surprising, considering the impact it has on the security of the OS.
There is a silver lining:
It’s not a good day for Debian or Open Source in general, but lets also consider that this bug existed in published code for two years before it was noticed. What horrors must lurk in OS’s that are not Open Source and hence have no public scrutiny? I’d rather know that my security is broken and have the opportunity to repair it than to not know it’s broken at all.