Debian SSH/OpenSSL vulnerability fix

I read another comment about that and I'm not sure if that really is a Debian problem. In that comment the following question was raised:
http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/
,
http://blog.drinsama.de/erich/en/linux/2008051401-debian-openssl-desaster.html
and
http://blog.drinsama.de/erich/en/linux/2008051401-debian-openssl-desaster.html

I myself have looked into the OpenSSL stuff more than once and I'm sorry, but this is on of the most underdocumented piece of software one can imagine. The whole stuff looks like "black voodo". I just invite you to visit:
http://openssl.org/

and get something out of this.

It's really a thing which makes me more than nervous. Such an important part of the while IT security and that bad documented....

Regards
Friedrich

I'm by no means trying to add fuel to the fire. As I said in the post, Debian remains my favorite distro. And I also read the analysis of the problem. We all have a part in the problem, no one is to blame alone. In fact, reading the post from Edgar (http://blog.drinsama.de/erich/en/linux/2008051401-debian-openssl-desaster.html) that you link:

"Yes, he screwed up there. But you bet he's going to be a lot more careful with any change in the future: he has learned his lesson. Better than having someone else screw up in a similar way again. And actually he didn't do this change half as easy-hearted as many people suggest, if you look at the discussions on the bug report and mailing lists. He was trying to fix the valgrind bug, and he talked to several people on how to do it properly."

I fully aggre with this. Furthermore, I think we all have been in a situation similar to this and those are the kind of situations you learn more from; because you never forget them.

By the way, security is a hard discipline. And events like this just show it. But, at the same time, the quick response and honestity shown just reaffirm my confidence in the Debian people and in general from the FOSS community.