Skip to content

I still don't know why I'm here

I wasn't going to comment on the recent openssl security update, because too many people have already done so.

Personally I thought that Aigars Mahinovs made the best writeup I've seen so far.

However I would like to say that having 20+ people all mailing security[at]debian.org to say the webpage we referenced in the security advisory is currently blank is not useful, or ask for details already released in the advisory they replied to, or ask for even more details is not so much fun.

Having people immediately start mailing questions like "Huh? What can I do" is only natural, but you can't expect a response when things are as hectic as they have been recently. Ideally people would sit on their hands and bite their tongues. Realistically that isn't going to happen, and realistically this post will make no difference either...

Had the issue not leaked to unstable so quickly (and inappropriately IMHO) then we'd have had a little more time. But once an issue is reported you need to coordinate with other distributions, and etc. Handling something as severe as this is not fun, and random mails from users are a distraction, and a resource-hog.

I should say I was not in any way involved in the discovery, the reporting, the preparation of the fix(es), or the releasing of the update. I knew it was coming, but everybody else seemed to have it well in hand. When there are mails going back and forth for 5+ days with ever-growing Cc: lists, and mailing lists being involved I figure one more cook wouldn't be useful.

So in conclusion:

a. Bad hole.

b. Fixing this will take years, probably.

c. 50+ mails to the security team within an hour of the advisory going public complaining of missing information is not helpful, not useful, and quite irritating. (Albeit understandable).

d. People who don't know the details of an attack, or issue, shouldn't speculate and start panic, fear, and confusion. Esp. when details are a little vague.

e. I still like pies.

Once again thanks to everybody who was involved and put in an insane amount of work. Yes this is only the start - our users have to suffer the pain of regenerating everything - but we did good.

Really. Debian did good.

It might not look like it right now, but it could have been so much worse, and Debian did do good.

ObQuote: X-Men: The Last Stand

Comments On This Entry

  1. [gravitar] David Ulevitch
    Thank goodness you still like pies. Life /will/ continue. :-)
  2. [gravitar] Harald
    You wrote:
    "People who don't know the details of an attack, or issue, shouldn't speculate and start panic, fear, and confusion."
    I laughed so hard I almost fell out of my chair! Thank you...
  3. [author] Steve

    Harald: It was probably a bit harsh. But I've seen some crazy speculation from people who've clearly not even read the advisory - let along looked at the code, or anything more.

  4. [gravitar] btmorex
    Steve,
    Can you explain why this shouldn't cause panic and fear? As I understand it, any openssl key pair generated on a debian machine in the past couple years will be one of set of only about 250,000 key pairs. It would be ridiculously quick to launch a brute force attack searching through the entire key space.
  5. [author] Steve

    People should be concerned, and update themselves. That is to be expected.

    What isn't expected is grossly wide speculation - such as people believing that GPG is broken too, and that the Debian project cannot trust uploads and will be a source for trojaned packages, because people may spoof signatures and upload malicious packages.

    If you've read the advisory then you're well informed. People haven't, and people are claiming all kinds of utterly unlikely, untrue, and infeasible things are possible...

  6. [gravitar] VE
    As a longtime user of debian on both the server and desktop, I very much want to know what's going to be done to make sure nothing like this happens again.
    In addition to taking years, between man hours and CA certificates, it could cost millions.

  7. [gravitar] Mac
    It's OK to not know why you are here. Nothing lasts forever, Not even crypto keys. I still like pies _and_ Debian. Carry on and up, you'll eventually find out why you are here.