…why you should never, never, *never* patch code that you do not understand fully…

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c

And that is why you report bugs to upstream and let those that know what they are doing, sort them out. Not someone with a half-wit for a brain.

Random patching and “improvement” of code is evil. End of story.

“Given enough eyeballs, all bugs are shallow”, my ass. Look at all the debian, and debian related (hello, Ubuntu people!) users squirrel around to change every single bit of crypto that they created in the last two years.  Repeat after me: TWO YEARS.

Who of them freedom lovers ever bothered to look at the patches that this oh-so-trustworthy distribution provider has put into a package. Speaking of “single vendor lock-in”: How many distributions call themselves “free and open” just because they recompile or just ship the debian packages verbatim.

That is as good as shipping an OEM Windows, folks! And now you got burned. Bad for you. Good for community health in the long run. Keeps you on your toes.

bug debian linux openssl

14 May 2008 | Rants, Netstuff | Comments