2008-05-17

Debian/Ubuntu SSH/SSL Epic Failure

Every one has been talking about this but this is a big issue so here's my take on the SSL/SSH debacle.

  1. Yes, This is horrible. The package maintainer deserves a bit of flameage on this.
  2. After Flameage is done (say about 72 hours worth), Package maintainers deserve some props for supporting a great package system.
  3. This is the situation we silently agreed to when we used binary packaging systems, it's a calculated risk which reared its ugly head.
  4. This is a reminder to us all that good security isn't a static state of being but a continuous process in which this type of failure is part of the system provided the root cause is identified and acted upon.
So, if you want to be sure about security, compile from source and invest your time, sweat and life into making a bullet proof system. If you want a little life on the side, take these situations in stride and look upon it objectively and deal with it accordingly.

... Or use OpenBSD. ...

blog comments powered by Disqus