Comments on: Security Flaws in Free Software http://etbe.coker.com.au/2008/05/21/security-flaws-in-free-software/ Linux, politics, and other interesting things Thu, 09 Feb 2012 01:09:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: etbe http://etbe.coker.com.au/2008/05/21/security-flaws-in-free-software/comment-page-1/#comment-14130 etbe Fri, 23 May 2008 10:32:11 +0000 http://etbe.coker.com.au/?p=585#comment-14130 James: If upstream sees an email of the form user@debian.org then they could probably make the same assumption. The problem is that many DDs for a variety of reasons don't want to use their @debian.org address. But even if an @debian.org address was used, it still wouldn't necessarily solve all problems. It's only really possible to know when a DD is just testing something and when they plan to include it in a release if they state it in their message. James: If upstream sees an email of the form user@debian.org then they could probably make the same assumption. The problem is that many DDs for a variety of reasons don’t want to use their @debian.org address. But even if an @debian.org address was used, it still wouldn’t necessarily solve all problems. It’s only really possible to know when a DD is just testing something and when they plan to include it in a release if they state it in their message.

]]> By: James http://etbe.coker.com.au/2008/05/21/security-flaws-in-free-software/comment-page-1/#comment-14119 James Thu, 22 May 2008 16:46:11 +0000 http://etbe.coker.com.au/?p=585#comment-14119 I am not a DD and don't really know what policies Debian already has in place. But from reading this blog maybe it is as simple as creating a "foo@dev.debian.org" address for DD's that is unambiguously ONLY used in connection with official Debian work. So when upstream sees an e-mail from joe@dev.debian.org they see an implicit signature line saying that this software will be used by millions of people and we need to get it right. (Or perhaps a not-so-implicit signature line.) An e-mail from joe@debian.org could be just trying to debug something and is playing around with non-production code. See here -- having a "dev.openssl.org" address might have prevented this confusion too: "Ulf is actually not a “core” member, just a team member. I had used the term “core” in a slang manner based on the fact that Ulf has an official @openssl.org email address." I am not a DD and don’t really know what policies Debian already has in place. But from reading this blog maybe it is as simple as creating a “foo@dev.debian.org” address for DD’s that is unambiguously ONLY used in connection with official Debian work.

So when upstream sees an e-mail from joe@dev.debian.org they see an implicit signature line saying that this software will be used by millions of people and we need to get it right. (Or perhaps a not-so-implicit signature line.) An e-mail from joe@debian.org could be just trying to debug something and is playing around with non-production code.

See here — having a “dev.openssl.org” address might have prevented this confusion too:

“Ulf is actually not a “core” member, just a team member. I had used the term “core” in a slang manner based on the fact that Ulf has an official @openssl.org email address.”

]]> By: etbe http://etbe.coker.com.au/2008/05/21/security-flaws-in-free-software/comment-page-1/#comment-14112 etbe Thu, 22 May 2008 05:56:59 +0000 http://etbe.coker.com.au/?p=585#comment-14112 Kurt: That's interesting, thanks for the reference. In regard to hashing the PID to give different random numbers after a fork() (which seems pretty weak) it would also be possible to store the value of getpid() when the RNG is seeded and check it every time random numbers are produced, if it is discovered that the PID has changed between adding entropy and requesting a random number then it could add some new entropy from /dev/random or some other good source. Kevin: There is a huge number of programs using random numbers, for a variety of purposes - some of which are important but many aren't. I don't believe that it's possible to have a Debian standard for mailing list communication with upstream. I can't think of anything that could be added to the dev-ref or policy to help in this regard. Kurt: That’s interesting, thanks for the reference. In regard to hashing the PID to give different random numbers after a fork() (which seems pretty weak) it would also be possible to store the value of getpid() when the RNG is seeded and check it every time random numbers are produced, if it is discovered that the PID has changed between adding entropy and requesting a random number then it could add some new entropy from /dev/random or some other good source.

Kevin: There is a huge number of programs using random numbers, for a variety of purposes – some of which are important but many aren’t.

I don’t believe that it’s possible to have a Debian standard for mailing list communication with upstream. I can’t think of anything that could be added to the dev-ref or policy to help in this regard.

]]> By: Kevin Mark http://etbe.coker.com.au/2008/05/21/security-flaws-in-free-software/comment-page-1/#comment-14103 Kevin Mark Wed, 21 May 2008 20:34:46 +0000 http://etbe.coker.com.au/?p=585#comment-14103 Are there any other program that use entropy or rely on RNG in Debian? Is there a best practice for using these? Should Debian include something in the dev-ref or Policy? There is talk of the difficulty of finding the correct ML. Debian prides itself with as much transparency in making such info available. Did openssl meet our standard in this regard? Do others? (mass bug filing?) Are there any other program that use entropy or rely on RNG in Debian? Is there a best practice for using these? Should Debian include something in the dev-ref or Policy? There is talk of the difficulty of finding the correct ML. Debian prides itself with as much transparency in making such info available. Did openssl meet our standard in this regard? Do others? (mass bug filing?)

]]> By: Kurt Roeckx http://etbe.coker.com.au/2008/05/21/security-flaws-in-free-software/comment-page-1/#comment-14101 Kurt Roeckx Wed, 21 May 2008 17:16:45 +0000 http://etbe.coker.com.au/?p=585#comment-14101 See also the thread starting at http://www.mail-archive.com/openssl-dev@openssl.org/msg23999.html See also the thread starting at http://www.mail-archive.com/openssl-dev@openssl.org/msg23999.html

]]>