[sionnsar]

Why? Because a "bug-catching" program told him that memory whould be initialized, not left "random", etc. Rather than strive to figure out why the code would have contained such things, he merely commented them out to quiet the bug-catcher software.

Sounds like the original author didn't document his code well enough.

[dayglored]

>> Rather than strive to figure out why the code would have contained such things, he merely commented them out to quiet the bug-catcher software.

> Sounds like the original author didn't document his code well enough.

I'd be inclined to agree, but I haven't seen the code myself so I can't really say for sure.

IMO, if the offending programmer at Debian was inside a module that he or she didn't understand, they should have passed their comments or criticisms back up to the OpenSSL group with a "WTF does this do??"

That would have solved it. However, I have heard rumors that there's ongoing feuding between Debian developers and others, such that the Debian group doesn't talk to anybody else.

If so, that's extremely unfortunate, witness this.

I'm having to crawl through my entire organization, since some of our people use Ubuntu (affected by this), and may have generated bad keys that have been copied between other systems (Unix, other Linux, Windows, Mac, etc.) over a period of two years. It's a bloody nightmare.