The problem is not that the release was made, the problem is that it was improperly labelled. By not saying that it was beta-quality, people were misled. There is a significant portion of the community that either doesn't have the skill or the inclination to deal with beta-quality software.
The intent of not labelling the e, f, and g releases as beta was to have them widely distributed. However the opposite effect is happening as people will now be suspicious of the quality and will simply wait to see how things shake out. --- Jeffrey Altman <[EMAIL PROTECTED]> wrote: > > At 09:40 AM 8/9/2002 -0400, Gregg Andrew writeth: > > >OK so is version 0.9.6e that I just compiled with Apache-2.0.39 any good? > > It was my understanding that all known security issues were addressed and > > fixed in 0.9.6e version, is this still true? I'm running on Solaris 8. > > >Thanks > > >Gregg Andrew > > > > I'm just going to wait for them to get their act together and release an > > official _STABLE_ release before I go and get the "latest and greatest." > > Sure there might be some issues in the current stable version, but from > > what I'm seeing, they are putting out fixes without testing every platform. > > Given that the Windows platform is barely supported by the OpenSSL > > community, it is insane to constantly try the new updates only to find they > > don't compile or something else is wrong with them. > > > > Hope this helps! > > Actually it doesn't. The OpenSSL team is not capable of testing by > themselves all of the platforms on which their code is used. That > requires the help of the user community. Unfortunately, when they are > trying to get out an emergency fix to close a security hole that can > be used to compromise the integrity of any application or service that > uses OpenSSL on any operating system it is a bit hard to have a two > week public beta test. > > The OpenSSL team did what they felt was necessary and get a series of > patches out for all versions of OpenSSL going back at least five years > that when applied would alter the result of potential attacks by > turning attacks into a denial of service rather than a system > compromise. Granted, the applied patches did not work on some systems > when used with shared libraries (Windows, VMS) but the greater > community responded within several hours with: > > . a fix to the exports to allow the fix to be built on Windows > > . an analysis of the denial of service problem outlining the path > to removing it entirely while still closing the security holes > > . a series of patches that removed the denial of service attack > > these were then integrated into OpenSSL snapshots the next day. These > were released yesterday with several more fixes as 0.9.6f. Because it > is addressing a pressing security concern there was no public beta and > it was deemed necessary to get the build out right away before more > companies shipped products incorporating the denial of service. There > was a minor build problem on some systems, therefore 0.9.6g was > announced today. > > I think the OpenSSL team and the community should be congradulated for > their response to this problem. I only hope that vendors will be a > quick to integrate these fixes into their products so as to avoid > significant use of these holes for destructive purposes. > > - Jeff > > > > > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! > The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP > http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and > [EMAIL PROTECTED] OpenSSL. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
