On Thu, Aug 5, 2010 at 11:37 AM, OQ <overlordq(a)gmail.com> wrote:
The onus isn't 100% on Debian, partial blame can
be on the OpenSSL
team for not saying "Hey that's a stupid idea" when he asked about his
'fix'.
The one applying the patch bears full responsibility for what happens.
If they don't understand the code, they shouldn't be patching it at
all, they should be directing all patches upstream. The Debian
maintainer in that case made no more than a cursory effort to upstream
the patch, like a typical maintainer. If they had adopted the
common-sense policy of not applying any patches except critical
security fixes to anything without upstream review (where there was an
active upstream), it would never have happened.
Trying to blame upstream in this case legitimizes the current broken
status quo where maintainers of all major distros happily apply
unnecessary patches that they don't understand, breaking things all
over the place as a result. This was only a particularly breathtaking
example of the kind of breakage that happens all the time, in
MediaWiki just as well. What the Debian maintainer should have done
is said "This is an upstream bug, and it's not critical, so take it
upstream -- we'll pick up the fix from upstream if they accept it."
Period.
(I'll grant that it's reasonable to make exceptions for the sake of
platform integration, like modifying it so it will work with the
distro's standard compilation options, changing file locations to
match FHS, and otherwise getting it to play nice with the system --
*if* the upstream refuses to accept patches. This is a distro's job,
and they do have to do it even if upstream doesn't play along. But
that was not the case at all for the patch in question, just as it's
not the case for a lot of the patches made downstream to MediaWiki.)