Doubting the Debian Doubters


There's a bit of a kerfuffle in the world of the Debian distro because of this:

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

Undoubtedly, it's a nasty bug, which has been around for worryingly long. But the finger-pointing about the weaknesses in the open source approach to code development that has inevitably followed misses the point.

It's true that open code is supposed to make it easier to spot bugs and catch bad security lapses like this one. But it doesn't guarantee it. However, contrast this with the situation for proprietary code. Since outsiders can't look at the code, probably the only way they get to find out about major security lapses is when they are exploited. This episode shows that neither Debian nor open source is perfect – but that they're still a darn sight better than the alternatives.