Comments on: Am I an Accessory? http://eternallyoptimistic.com/2009/05/31/am-i-an-accessory/ Wed, 21 Apr 2010 14:34:25 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: yungchin http://eternallyoptimistic.com/2009/05/31/am-i-an-accessory/comment-page-1/#comment-529 yungchin Mon, 22 Jun 2009 09:26:23 +0000 http://eternallyoptimistic.com/?p=1200#comment-529 >> So while the version of libssl0.9.7-sarge5, it should nevertheless >> incorporate all the security fixes present in 0.9.8k. > > So, the good news is that I’m probably safe, and the team is on top > of it. The bad new is that I simply have to trust it is so, I don’t > see a way to easily independently verify. Given that it's Debian, where all business is done in the open, it is very easy to independently verify things. The <a href="http://www.debian.org/releases/sarge/" rel="nofollow">sarge release</a> page will tell you that in fact security-updates for sarge have been discontinued over a year ago. Furthermore, you can subscribe to the <a href="http://www.debian.org/security/dsa" rel="nofollow">Debian Security Advisories feed</a>, which shows the most recent update for OpenSSL was <a href="http://www.debian.org/security/2009/dsa-1763" rel="nofollow">this year</a>, and indeed did not include updates for sarge anymore... >> So while the version of libssl0.9.7-sarge5, it should nevertheless
>> incorporate all the security fixes present in 0.9.8k.
>
> So, the good news is that I’m probably safe, and the team is on top
> of it. The bad new is that I simply have to trust it is so, I don’t > see a way to easily independently verify.

Given that it’s Debian, where all business is done in the open, it is very easy to independently verify things. The sarge release page will tell you that in fact security-updates for sarge have been discontinued over a year ago. Furthermore, you can subscribe to the Debian Security Advisories feed, which shows the most recent update for OpenSSL was this year, and indeed did not include updates for sarge anymore…

]]>