The SSH/SSL vulnerability: what you should know

I wasn't going to post about this, but it seems that, for my own sanity, I must. As you might know by now, a Debian Security Advisory came out, talking about a problem that affected the OpenSSL package, not only for Debian but for its derivatives too, like Ubuntu.

My first two remarks, and probably the most important ones for my thoughts about this issue:
  • If what you know about this issue is what you read on Slashdot, YOU'RE WRONG. Even the news itself is wrong, and the comments are clueless, written by people that don't know shit about what are they talking about. Worse than useless, that story on /. is disinformative.
  • If you think that this issue only affects users of Debian and Debian-derivatives, think twice. Any Linux/Unix/*BSD system is vulnerable that grants access to a key that was generated on an affected Debian or Ubuntu system. Erich has a simple yet good explanation on why.

Now, my stand on the issue: if you really feel the need to mock, criticize or otherwise comment about this issue, make yourself and me a favour, and avoid making a fool of yourself. In other words, find out what really happened, what is this all about and make your own oppinion based on facts, instead of just falling into the absurdity that spreaded over, saying silly stuff like "Debian does not contribute to upstream" (what a joke, did you ever read the Debian Social Contract?), or "Debian shouldn't make security fixes". As a matter of fact, John Goerzen wrote an interesting article about some of those things and why they are wrong.

So, to help you a little, here's a small list of articles you might want to read about the issue:

Yes, it was an unfortunate thing to happen. So, go fix your stuff and leave me alone.