Joel W Shea wrote:
That said, "given enough eyeballs, all bugs are shallow", and there are many people along that chain, but even that didn't stop a fairly grave OpenSSH bug[1] slipping through unnoticed for *years*...
[1] - http://helvick.blogspot.com.au/2008/05/debian-opensslopenssh-prng-bug.html
Knee-jerk reaction: that URL doesn't make particularly clear that 1) it's not just SSH; and 2) IMO the blame does not lie solely with Debian. Ref. http://wiki.debian.org/SSLkeys#Causes (and that article as a whole). BTW, Debian/Ubuntu SSH is patched to reject keys from an arbitrary blacklist. In addition to the usual blacklist per above, I also include the (known) keys of ex-staff. AFAIK current RHEL and upstream sshd is not similarly patched, so those systems are actually MORE vulnerable to to the above issue; nor can I blacklist ex-staff on them. (I welcome any corrections to that "AFAIK"!)