Broken Debian Openssl

It’s been a day since news emerged of the long-term issue with the Debian packaged openssl. As demonstrated by the feedback to Ben Laurie’s Blog entry, this is a very high profile issue with plenty of opposing points of view. Hardly surprising, considering the impact it has on the security of the OS.

There is a silver lining:

In future there will be considerably more awareness that package maintainers don’t just package source, they also change it. No doubt there are occasions when this is a good thing but there needs to be much more visibility of when and why it happens.

It further emphasises the old adage, “Security is hard”. No doubt Debian, (and others) will be revising their procedures relating to these packages and it will emerge as an even better OS as a result.

Upstream providers, (though not responsible for the actions of downstream maintainers) will take greater interest in what changes are proposed to their code.

It’s not a good day for Debian or Open Source in general, but lets also consider that this bug existed in published code for two years before it was noticed. What horrors must lurk in OS’s that are not Open Source and hence have no public scrutiny? I’d rather know that my security is broken and have the opportunity to repair it than to not know it’s broken at all.