On Thu, Aug 5, 2010 at 11:37 AM, OQ overlordq@gmail.com wrote:
The onus isn't 100% on Debian, partial blame can be on the OpenSSL team for not saying "Hey that's a stupid idea" when he asked about his 'fix'.
The one applying the patch bears full responsibility for what happens. If they don't understand the code, they shouldn't be patching it at all, they should be directing all patches upstream. The Debian maintainer in that case made no more than a cursory effort to upstream the patch, like a typical maintainer. If they had adopted the common-sense policy of not applying any patches except critical security fixes to anything without upstream review (where there was an active upstream), it would never have happened.
Trying to blame upstream in this case legitimizes the current broken status quo where maintainers of all major distros happily apply unnecessary patches that they don't understand, breaking things all over the place as a result. This was only a particularly breathtaking example of the kind of breakage that happens all the time, in MediaWiki just as well. What the Debian maintainer should have done is said "This is an upstream bug, and it's not critical, so take it upstream -- we'll pick up the fix from upstream if they accept it." Period.
(I'll grant that it's reasonable to make exceptions for the sake of platform integration, like modifying it so it will work with the distro's standard compilation options, changing file locations to match FHS, and otherwise getting it to play nice with the system -- *if* the upstream refuses to accept patches. This is a distro's job, and they do have to do it even if upstream doesn't play along. But that was not the case at all for the patch in question, just as it's not the case for a lot of the patches made downstream to MediaWiki.)