Vendors Are Bad For Security
Some of Ben Laurie's take on the "extremely serious vulnerability" that Debian added to OpenSSL.
I've ranted about this at length before, I'm sure - even in print, in O'Reily's Open Sources 2. But now Debian have proved me right (again) beyond my wildest expectations. Two years ago, they "fixed" a "problem"
in OpenSSL reported by valgrind by removing any possibility of adding any entropy to OpenSSL's pool of randomness.
The result of this is that for the last two years (from Debian's "Edgy"
release until now), anyone doing pretty much any crypto on Debian (and hence Ubuntu) has been using easily guessable keys. This includes SSH keys, SSL keys and OpenVPN keys.
What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to "add value" by getting in between the user of the software and its author.
Secondly, if you are going to fix bugs, then you should install this maxim of mine firmly in your head: never fix a bug you don't understand.