OpenSSL security fix for human beings

Matthew Paul Thomas mpt at
Tue May 27 15:20:56 BST 2008

Hash: SHA1

Hi Dylan

Thanks for your suggestions, and sorry for the late reply.

Dylan McCall wrote on 15/05/08 05:13:
> First off, kudos to those involed with the openssl fix. It was
> swiftly produced and in the repos within record time. I had learned
> about the problem earlier today and welcomed the updates quite
> happily. (As well as their instructions. Those info popups are cool).
> However, one question very quickly sprang to mind: Did usability
> people look at this?
> -I experienced not one, but three popups telling me about the update.

I've been in touch with the Canonical developers involved in producing
the update.

Three packages were updated with notifications: openvpn, openssh-server,
and ssl-cert. It was necessary to give each package a separate
notification, because an Ubuntu installation might reasonably have only
one or two of the three packages installed. For example, a server might
have openssh-server and ssl-cert installed, but not openvpn. And a
desktop machine might have ssl-cert installed, but might or might not
have openvpn and/or openssh-server.

> Still, I think it could be worthwhile to give a little heads-up about
>  this event before a rambo releases an update telling people to run
> rm -rf ~/something as their own users (sure to get CLI paranoiacs up
> in arms! :P). Is there a system in place for a rapid usability review
>  "queue" of some type? Could be interesting to ponder.

Even if there was such a queue, it would need to be either private, or
not used for security updates covering unannounced vulnerabilities.

> I think Ubuntu's speedy updates on any day of the week are a great 
> strength, but so is usability. To be truly user-friendly, though,
> that philosophy of usability must be present everywhere from the web
> site to the security patches. It seems to me, though, that this
> security update had very little time in which to get a proper look at
> how it could be applied without disturbing users. Indeed, I fear that
> it, with all the crazy popup messages and (repeated!) instructions,
> may be unnecessarily disruptive.

The update was produced under a time limit such that it might not have
been practical to do a usability review, even if there had been a
process for it. To put this in perspective, though, a usability review
likely wouldn't have helped as many people as localizing the alerts
would have.

- --
Matthew Paul Thomas
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the ubuntu-desktop mailing list