Debian security standards, deflecting questions about SSH2 issue

[pocock]

The Talos II and Blackbird have been marketed as a platform for security-minded users and many people have purchased the platform with that in mind.

Security is only as good as the weakest link in the chain.  It is no good having the most secure hardware if there are regular defects in the OS or web browser or some other level in the stack.

I've recently started blogging about Debian's handling of security issues.

This is not a new concern: in 2008, it was the OpenSSL random number generator and some people still have vulnerable keys in use today, 16 years later.

The new revelation is that in March 2000, Edward Brocklesby took over the SSH2 package and uploaded new binaries into Debian

Six weeks later and in April 2000 Brocklesby was secretly expelled for hacking

The Debian Social Contract, point 3 tells us "we won't hide problems".  I felt the social contract compelled me to bring this SSH2 affair into the public domain at the beginning of June 2024.  Andreas Tille has made four more "Statement on Daniel Pocock" insult responses in barely four weeks, two of them on web sites and two by spam emails.  Somebody commented that Debian never had such a big hissy fit.

Nonetheless, these hissy fits reveal a lot about the culture.  I made a chronological review of the culture so people can see it is not about me, the series of suicides and other deaths, with evidence, suggest it is about the mindset of the group.  For people who have to answer everything with a new "Statement on Daniel Pocock", what we see is that being stubborn is more important than being secure.

The Brocklesby affair may be 24 years ago but it actually reveals a continuity.  We can measure subsequent security incidents against the Brocklesby affair and see that each time Debian is tested, the responses are lackluster.

[Borley]

It looks like I have some evening reading to catch up on.

https://danielpocock.com/integrity-fail-debian-social-contract/

As I age, my perception skews further toward "humans are flawed beings", and no amount of rule making or societal structuring will ever eliminate exploitative behavior. And in software projects, the more humans (flawed beings) are involved, the more exploitative activity will occur. None of this is to excuse such behavior.

I can think of Maone, author behind NoScript, having dubious history but still being a net positive in the world of adblocking and open source software.

Andreas Tille - Can it be inferred that his intentions with his time as project leader are malicious? What kind of negative changes, impacting Debian security, would one anticipate being made during this time?

[pocock]

Andreas Tille - Can it be inferred that his intentions with his time as project leader are malicious? What kind of negative changes, impacting Debian security, would one anticipate being made during this time?

I do not know how much comes from his own personal intentions and how much he is manipulated to behave rudely to my family and I.

When people see the negative attacks on my family, they do not want to join Debian or associate with Debian people

Some people already decided to leave.  You can read some of the historic resignations here.  There have been more.

The FSFE also had a lot of resignations, nobody was ever expelled.  Some of them wrote their reasons publicly.

Therefore, the composition of the Debian organization after 12 months of the current leader will be a reflection of his leadership behavior.

Imagine if you go on holiday and you arrive in the destination and you find the people in that place are eating somebody, a cannibal feast.  If you are a cannibal too you might stay in that village for your holiday.  But if you are not a cannibal you will probably change your vacation plans and go somewhere else.  If they eat somebody every weekend in that village then sooner or later anybody who is not a cannibal has probably been eaten or moved elsewhere and the only people left are cannibals.

Having less skilled people in Debian will mean less eyes on security problems, slower responses to security alerts and various other consequences.

(unrelated, we don't know if the German cannibal case is connected or not)

[vikings.thum]

I find this whole Daniel Pocock vs. Debian and Debian vs. Daniel Pocock thing incredibly icky and prefer to avoid it altogether whenever I stumble across it because it's impossible to form an informed opinion at this stage. Of course, I want to believe that teams members of Debian are not a bunch of idiots, just as I want to believe that Daniel is not as despicable as he is described by some. I also know how it is to be on "bad side" of a character assassination campaign, so I'll definitely remain on the neutral side

"humans are flawed beings"

If anyone feels the need to add more drama to their life, I suggest you travel to Ukraine instead and help within your means. It put a lot of things into perspective for me.
Not everyone is a great communicator, but I firmly believe that even bad communication can be better than cutting each other's heads off... so I hope this will be resolved one way and not the other eventually.

[MauryG5]

I think it's crazy that even today in 2024, people can still talk badly about Daniel Pocock and his precious contribution to Debian on Power. I would like to understand what these people still want from him and what he still has to do to avoid people talking badly about him! I just hope that this story ends one day because as a Debian user I am very sorry that one of our best Debian developers can be so criticized...

[pocock]

It is not just about me.  It is a whole history of the group treating people badly for 30 years.  Each case was different.  That is why I wrote up the history step by step.  This type of step-by-step document, in date order, makes it easier to troubleshoot the Debian group.

Every week I get messages of support from people who are afraid to talk publicly now.  There was a wave of fresh interest in the cabal phenomena recently due to the Sonny Piers case at GNOME.

But one of the common pieces of feedback is that some companies have told their employees not to communicate with any open source groups.  Nobody knows which developer will be the next target.  Remember they went after Dr Norbert Preining for using the wrong pronoun.  In most companies, if an employee made a mistake like that, and it doesn't look deliberate, the company would try to resolve it over a coffee or something, they wouldn't waste thousands of emails nitpicking it.

Companies want their employees to rest on the weekends and at Christmas.  When they look at all the messages from Christmas 2018, most employers don't know who was right or wrong but they know this group has too much stress and not enough respect for volunteers, personal time and families.

[MauryG5]

In the Power community you have the support of all of us I think, no one excluded so don't worry about what they say in the Debian team, indeed since there are also precedents, evidently there is a problem in that team which is not insignificant in my humble opinion...