OpenSSL security fix for human beings

Jan Claeys lists at
Wed May 21 00:40:52 BST 2008

Op woensdag 14-05-2008 om 21:13 uur [tijdzone -0700], schreef Dylan
> I think, on the usability front, a nice thing with
> GNOME (and Ubuntu by extension) is not belittling the user. That is,
> never presenting information the user does not know about and then
> telling him to just ignore it because "it means nothing to him". If
> information means nothing to the user, it should not be waved under his
> nose. If it does mean something to the user, it should be presented
> clearly. The result: Users get used to reading what is on screen instead
> of frantically avoiding scary technical information.
> Still, it seems odd to me that openssh-client, openssh-server and
> openssl would all be saying essentially the same thing with varying
> levels of complexity.

The fixes & changes have different results in different situations.  I
think, because of that, it's difficult to do this 100% right...

(E.g. server admins vs. home users.)

> What I am really concerned about here is how capable our existing
> infrastructure for major security updates is of being user friendly. I
> suppose the update script wanted me to run that command myself since it
> is running as root (so it would be bad for it to do that), which does
> expose some problems: Here an updater that needs to change something for
> a user is giving the user instructions that it should seemingly be able
> to follow itself.

The update script is already running as root.

The given command had to be run *before* logging on again anyway, as it
shows the new SSH host (= server) key's fingerprint that you need to
make sure you're logging on into the right server.

> Furthermore, good Vulcan logic dictates that critical security
> updates
> should not be slowed down for the sake of usability review.

Which is probably why things weren't as good as they "should"
be...   ;-)

Jan Claeys

More information about the ubuntu-desktop mailing list