Reason for GPS problems found!

Christoph Anton Mitterer calestyo at scientia.net
Thu Jul 17 01:43:26 CEST 2008


On Wed, 2008-07-16 at 09:17 +0200, Marcus Bauer wrote:
> I don't follow your view. The Debian ssh bug was all but obvious. That's
> why it went for a long time unnoticed. 
This is off topic but:

I don't consider the SSL issue (SSH was only affected by this) as all
Debian's fault.
First off all distros always had to and always will have to patch
applications. The arguments of the (Open)SSL project leader that distros
mustn't do that are simply stupid and/or unrealistic....

On the other hand, IIRC the bug was that Debian cleanly initialised some
previously uninitialised memory, that should have been used for
generating random numbers.
1) This sounds like very crappy programming. If OpenSSL chooses to do
such strange techniques the really should document this with some big
exclamation marks in the code. That way that unfortunate Debian
maintainer would probably have noticed what he did.
2) At best this uninitialised memory should be used to further improve
the randomness of the key,... I think it's horrible that its quality
depended so much on that. What if that memory area wasn't used before
and is thus all 0x0, or what if a single colour png files was at this
position in the memory?

Just wanted to say this ;)

... and yes,.. I love Debian ;P

Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5108 bytes
Desc: not available
Url : http://lists.openmoko.org/pipermail/community/attachments/20080717/76785e73/attachment.bin 


More information about the community mailing list