It’s been a common complaint since the dawn of the Fedora project: the process for getting new software into Fedora is too complex.
We feel everyone’s pain, and always have. It’s a difficult balance: you want to make sure that you open participation to as many packagers as possible — but you also want to ensure the quality of those packages. Particularly from a security perspective.
The Debian/Ubuntu OpenSSL bug is scary as hell. It’s a tough day for those projects right now, but everyone who’s been around the Fedora community knows the uncomfortable truth: there, but for the grace of God, go us. Eternal vigilance is the price of liberty, indeed.
It may be fashionable among some to paint this as a stupid mistake on the part of some Debian maintainer — but this Slashdot poster gives details about the what appears to be an honest and understandable mistake. He also quotes Bruce Schneier to devastating effect: “bad crypto looks much the same as good crypto”. Which is why it took over a year for folks to notice this bug, with the result that literally millions of Debian-based systems could be exposed to remote exploits.
Fedora dodged this bullet. Will we dodge the next one?
One defense is to make sure that we diverge as little as possible from upstream developers — and when we do diverge, make sure that everyone, upstream and downstream, knows about any patches, and why they exist. There’s a lot of discussion going on right now about how to do that.
Another possible defense is to put certain packages in a different review category — especially any packages that deal with fundamental system-level encryption. That discussion is also ongoing.
So there may be changes. There may be a bit more bureaucracy in Fedora, and another step or two (or three, or more) in a process that is already very long indeed. But if it cuts down the chance of a catastrophic mistake like this, it’s worth it.
A great day for Fedora today — but also a tough day for Linux.