Open Source Software No No's. · 13 May 2008, 12:30 by trickykid
Today there was a huge security bug for Debian which made private SSL/SSH keys guessable. What caused this mistake? Well, some developer over at Debian changed some code in OpenSSL. You see, Debian developers like to touch everything that goes into their distribution to make it more suitable for them. They’ll even change the name of a program if they don’t like the application developers staking copyright and trademark names to use and redistribute. Which is perfectly legal when it comes to GPL software but in my opinion a time waster.
Anyways, this security bug has been around for over a year. Ouch. If someone did that where I worked they would have been fired. This is one of the many reasons I don’t touch or use Debian. Their little developers have to put their hands on everything, which then causes crap like this cause they might not know what they’re doing.
You can read more about the bug here: http://article.gmane.org/gmane.linux.debian.security.announce/1614
This is another reason I like Slackware. Patrick makes his distro work in harmony without changing the original source code. He just writes scripts and packages it all together to work with the existing system. To me, changing and leaving alone has it’s pros and cons but personally, leave the code changes to the guys who maintain it, clearly they know their product better than you do.
Well, Debian has its advantages.
I dislike Slackware because it requires too much manual intervention.
Security issues like the ones you mentioned are very rare (I emphasize this point) in Debian. You see, Debian is one of the most thoroughly tested distributions when it comes to security and they have a strong ethic of security checking when it comes to putting anything into the distribution. Obviously sometimes errors creep in.
Obviously software in the “unstable” repository don’t get security checks.
• hari 13 May 2008, 23:35 #Very true, I give praise for Debian in how they make sure a package will fit with their distribution. But then it also backfires, they’re not the OpenSSL developers. There’s some things you touch and others you don’t. This type of security flaw though will leave a bad taste in some people’s mouths cause it went so long overlooked and honestly, OpenSSL is just one of those packages I feel should be left to the OpenSSL guys, it just works how it is, no changes necessary. If there’s a bug in their own code (OpenSSL), they’ll usually find it a lot faster than some distribution developers code changes.
And Slackware really isn’t or doesn’t require that much manual intervention, especially when it comes to a production like system. Like these servers for example, I can go months without touching them. Really depends on the use of the machine, production servers should not run the latest and greatest til tested throughly.
• drew 14 May 2008, 06:57 #I agree. Slackware is one of those distributions that you just install and forget about it.
But if you’re one who likes to tweak a Linux system on a daily basis, the process can become tiring very quickly on Slackware.
• hari 15 May 2008, 01:30 #I guess it just depends. Some like Slackware cause you get dirty with it.
I’ve lost all passion in tweaking systems though. I try not to even touch a computer after I leave work. I leave tweaks to my day job. If I start doing that at home, I’m just doing my job then in my own spare time. This is why one day I plan to go back to school, get a career that doesn’t involve computers so computers can become a hobby once again and be fun.
• drew 15 May 2008, 09:46 #Commenting is closed for this article.