Every one has been talking about this but this is a big issue so here's my take on the SSL/SSH debacle.
- Yes, This is horrible. The package maintainer deserves a bit of flameage on this.
- After Flameage is done (say about 72 hours worth), Package maintainers deserve some props for supporting a great package system.
- This is the situation we silently agreed to when we used binary packaging systems, it's a calculated risk which reared its ugly head.
- This is a reminder to us all that good security isn't a static state of being but a continuous process in which this type of failure is part of the system provided the root cause is identified and acted upon.
... Or use OpenBSD. ...