Who does what about the Debian Debacle?
Hopefully everyone already knows that Debian & Ubuntu have let us all down over the past two years by shipping a woefully insecure OpenSSL package. Personally its destroyed a-lot of faith that I had in the Ubuntu operating system.
Most of us, who arn’t deeply involved in our OS, have to simply trust in the processes and people putting it together. I’m no exception. Before this happened I had no real understanding of the packaging / development process for Ubuntu, and no great interest in it either. More fool me. This one security breach has left me scrambling to find out what went wrong.
Fixing the cause
This one isn’t going to go away because the fix has been shipped. There is still a serious flaw in the Ubuntu and Debian development process that I’m hopeful the developers are working this out on the mailing lists / irc right now.
Erich Schubert had to say about the maintainer who made the mistake ” But you bet he’s going to be a lot more careful with any change in the future: he has learned his lesson”. I’m sure he has, but as Erich mentioned shortly after , lots of other maintainers won’t. Nor is there going to be a massive increase in the code quality of upstream software, even for security-sensitive things like OpenSSL. Badly commented software and miscommunications are facts of life, what Ubuntu needs is processes that catch these mistakes in a little less time than 2 years.
Regaining my trust (and perhaps others too)
I’m fairly sure that things are taking place to make sure this doesn’t happen again. But, like so many institutions, Ubuntu can’t just do right on this one. It has to be seen to do right. The solutions that they come up with must be timely, and extremely public. There are a huge amount of people and companies that use Debian & Ubuntu. Not all of them have time to trawl mailing lists and blogs. Its a biggie, If Canonical don’t start talking loudly about this its a real incentive to move to a different distribution.
Explore posts in the same categories: Ubuntu