Comments on: Too similar to be different http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/ Mindblogging the world to itself Thu, 20 Nov 2008 17:01:39 +0000 http://wordpress.org/?v=2.6.2 By: wheestAttalia http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-272424 wheestAttalia Fri, 14 Nov 2008 06:29:36 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-272424 god site. it was very interestingly god site. it was very interestingly

]]> By: Zooxyhusy http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-269051 Zooxyhusy Sat, 08 Nov 2008 03:16:38 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-269051 Hello! Good site, good content Hello! Good site, good content

]]> By: MutOffegeNefe http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-268975 MutOffegeNefe Sat, 08 Nov 2008 00:25:02 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-268975 Good site! Successes in future Good site! Successes in future

]]> By: Lanux » Vulnerabilidad de OpenSSL en Debian http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-141362 Lanux » Vulnerabilidad de OpenSSL en Debian Tue, 20 May 2008 13:57:07 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-141362 [...] dejo mis links [...] [...] dejo mis links [...]

]]> By: ciol http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136894 ciol Thu, 15 May 2008 21:53:41 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136894 I honestly cannot see the correlation between patching things for integration or the /size of stable/ on this problem. The patches against ssh should have been reviewed by /more than one person/ in the last few year ... I honestly cannot see the correlation between patching things for integration or the /size of stable/ on this problem.

The patches against ssh should have been reviewed by /more than one person/ in the last few year

]]> By: Jon http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136616 Jon Thu, 15 May 2008 09:58:05 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136616 I honestly cannot see the correlation between patching things for integration or the size of stable on this problem. The patches against ssh should have been reviewed by more than one person in the last few years, yes, there have definitely been errors here. But I don't see how this extrapolates to the entire archive. That sounds like slashdot sound-byte nonsense. I honestly cannot see the correlation between patching things for integration or the size of stable on this problem.

The patches against ssh should have been reviewed by more than one person in the last few years, yes, there have definitely been errors here. But I don’t see how this extrapolates to the entire archive.

That sounds like slashdot sound-byte nonsense.

]]> By: Mac http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136394 Mac Thu, 15 May 2008 02:18:45 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136394 Very well done article on a not so easy topic. It's ok if there are folks out there who disagree. That is their 'bug' to fix not mine. ;-) I use Debian today. No changes are planned. Very well done article on a not so easy topic. It’s ok if there are folks out there who disagree. That is their ‘bug’ to fix not mine. ;-) I use Debian today. No changes are planned.

]]> By: Erich http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136053 Erich Wed, 14 May 2008 19:34:18 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136053 Hi, Just a quick followup. The main location where this warning of using "uninitialized memory" does indeed deliberately use uninitialized memory. The function is expected to fill a buffer with random data. It first uses the current memory contents to further randomize (maybe, if that data is random), then fills the buffer with randomness. This use of the existing contents is definitely safe and doesn't do any harm (except causing this warning, which sparked all this mess, actually...) The big mistake the Debian maintainer did was to also remove another *literate* copy of that line in the OpenSSL source, which happened to be used to feed randomness into the RNG, thus making all OpenSSL efforts to obtain more randomness moot. The reason why I believe OpenSSL upstream is also to blame is because they didn't care about other users wanting to use valgrind and not see their "deliberate" error reported again and again. This caused the Debian maintainer to fix the issue himself, introducing the mistake. If OpenSSL had cared about developers wanting to use valgrind, it wouldn't have happened in the first place. Hi,
Just a quick followup. The main location where this warning of using “uninitialized memory” does indeed deliberately use uninitialized memory. The function is expected to fill a buffer with random data. It first uses the current memory contents to further randomize (maybe, if that data is random), then fills the buffer with randomness.
This use of the existing contents is definitely safe and doesn’t do any harm (except causing this warning, which sparked all this mess, actually…)

The big mistake the Debian maintainer did was to also remove another *literate* copy of that line in the OpenSSL source, which happened to be used to feed randomness into the RNG, thus making all OpenSSL efforts to obtain more randomness moot.

The reason why I believe OpenSSL upstream is also to blame is because they didn’t care about other users wanting to use valgrind and not see their “deliberate” error reported again and again. This caused the Debian maintainer to fix the issue himself, introducing the mistake. If OpenSSL had cared about developers wanting to use valgrind, it wouldn’t have happened in the first place.

]]> By: ciol http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136033 ciol Wed, 14 May 2008 18:28:20 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-136033 "It doesn't matter how often you do it: freezing thousands of packages into a stasis just doesn't work." tuomov, 03/03/2007. He was right. As a /. user says "who cares how "integrated" a program is, if it could have had arbitrary bugs silently introduced?" Debian's packages are /too/ well integrated. If -stable was smaller, maybe this would have not happened. “It doesn’t matter how often you do it: freezing thousands of packages into a stasis just doesn’t work.” tuomov, 03/03/2007. He was right.

As a /. user says “who cares how “integrated” a program is, if it could have had arbitrary bugs silently introduced?”

Debian’s packages are /too/ well integrated.

If -stable was smaller, maybe this would have not happened.

]]> By: Rudi Cilibrasi, PhD http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-135985 Rudi Cilibrasi, PhD Wed, 14 May 2008 16:12:45 +0000 http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/#comment-135985 As I tried to explain, the logic in this entry was flawed. See correct logic at the following URL: http://www.links.org/?p=328 As I tried to explain, the logic in this entry was flawed. See correct logic at the following URL:

http://www.links.org/?p=328

]]>