I agree that Ben may have been indulging in a bit of post facto “face saving” as you say. But he has the decency to mention the openssl-dev list posting - embarrassing as that may be. But that still doesn’t change my view that the upstream package maintainer is best placed to fix flaws.

Both sides of the argument look bad here. The openssl team for not providing sufficient support to a query about the code (and for not commenting the code sufficiently well to allow the researcher to understand the impact of commenting out the “offending” lines); and the Debian team for making and then maintaining a fork of the openssl code for two years without getting it back into the upstream.

Mick

Whilst I am not happy with what happened here in Debian the patch in question was actually discussed on the openssl-dev list *before* being applied. Ben now tries to claim that the openssl-dev list isn’t for openssl development, but as this LWN article points out the list was described on their site as:

Discussions on development of the OpenSSL library. Not for application development questions!

The list he suggested to be used was not mentioned on their website. So I suspect there’s a bit of face saving going on here on their part too.. :-)

Also don’t forget that if you’ve used a compromised client with a good DSA key then you should consider that DSA key compromised as well. :-(