Debian security standards, deflecting questions about SSH2 issue

[pocock]

The Talos II and Blackbird have been marketed as a platform for security-minded users and many people have purchased the platform with that in mind.

Security is only as good as the weakest link in the chain.  It is no good having the most secure hardware if there are regular defects in the OS or web browser or some other level in the stack.

I've recently started blogging about Debian's handling of security issues.

This is not a new concern: in 2008, it was the OpenSSL random number generator and some people still have vulnerable keys in use today, 16 years later.

The new revelation is that in March 2000, Edward Brocklesby took over the SSH2 package and uploaded new binaries into Debian

Six weeks later and in April 2000 Brocklesby was secretly expelled for hacking

The Debian Social Contract, point 3 tells us "we won't hide problems".  I felt the social contract compelled me to bring this SSH2 affair into the public domain at the beginning of June 2024.  Andreas Tille has made four more "Statement on Daniel Pocock" insult responses in barely four weeks, two of them on web sites and two by spam emails.  Somebody commented that Debian never had such a big hissy fit.

Nonetheless, these hissy fits reveal a lot about the culture.  I made a chronological review of the culture so people can see it is not about me, the series of suicides and other deaths, with evidence, suggest it is about the mindset of the group.  For people who have to answer everything with a new "Statement on Daniel Pocock", what we see is that being stubborn is more important than being secure.

The Brocklesby affair may be 24 years ago but it actually reveals a continuity.  We can measure subsequent security incidents against the Brocklesby affair and see that each time Debian is tested, the responses are lackluster.

[Borley]

It looks like I have some evening reading to catch up on.

https://danielpocock.com/integrity-fail-debian-social-contract/

As I age, my perception skews further toward "humans are flawed beings", and no amount of rule making or societal structuring will ever eliminate exploitative behavior. And in software projects, the more humans (flawed beings) are involved, the more exploitative activity will occur. None of this is to excuse such behavior.

I can think of Maone, author behind NoScript, having dubious history but still being a net positive in the world of adblocking and open source software.

Andreas Tille - Can it be inferred that his intentions with his time as project leader are malicious? What kind of negative changes, impacting Debian security, would one anticipate being made during this time?

[pocock]

Andreas Tille - Can it be inferred that his intentions with his time as project leader are malicious? What kind of negative changes, impacting Debian security, would one anticipate being made during this time?

I do not know how much comes from his own personal intentions and how much he is manipulated to behave rudely to my family and I.

When people see the negative attacks on my family, they do not want to join Debian or associate with Debian people

Some people already decided to leave.  You can read some of the historic resignations here.  There have been more.

The FSFE also had a lot of resignations, nobody was ever expelled.  Some of them wrote their reasons publicly.

Therefore, the composition of the Debian organization after 12 months of the current leader will be a reflection of his leadership behavior.

Imagine if you go on holiday and you arrive in the destination and you find the people in that place are eating somebody, a cannibal feast.  If you are a cannibal too you might stay in that village for your holiday.  But if you are not a cannibal you will probably change your vacation plans and go somewhere else.  If they eat somebody every weekend in that village then sooner or later anybody who is not a cannibal has probably been eaten or moved elsewhere and the only people left are cannibals.

Having less skilled people in Debian will mean less eyes on security problems, slower responses to security alerts and various other consequences.

(unrelated, we don't know if the German cannibal case is connected or not)