It’s probably worth noting at this point that there are a few lessons to the debian OpenSSL debacle:
- There is now a corollary to “do not write your own cryptographic routines”: “do not fix bugs in someone else’s cryptographic routines.” If there is a annotated view of the OpenSSL tree (I don’t know/don’t care), the DD who patched OpenSSL would have been better off contacting the person who wrote the offending line in the original source than trying to find the correct channel.
- Developers must publish correct information on how to contact them. Incorrect information on the OpenSSL website maintenance is just as much to blame for this as the DD in question, who did ask the suggested channels about his patch.
- Distros should have peer review of patches in security-critical code—by experienced developers—if they do not already.
- Rather than all the bitching, remember that the central tenet of F/LOSS is Fix It Yourself. This does not cease to apply simply because the problem exists in something you depend on. If anything, it should emphasize how necessary it is.