I may also remind people that those lists are acknowledged right at the top as experimental. They also do not allow for non personal subscriptions, so they aren't very practical for this. What if I was away for a day or three.. Or more.. Essentially this is a nice experiment, but not really a practical means of early disclosure. Nor were we informed it was anything beyond experimental. On 5 Jun 2014 17:39, "Stuart Henderson" <s...@spacehopper.org> wrote:
> On 2014/06/05 20:43, Martin, Matthew wrote: > > > That's exactly my though. Specially, because FreeBSD and NetBSD were > > > warned, but not OpenBSD. If this was only a rant or any childish > > > behavior from them, it's something stupid and, of course, not the right > > > thing to do. But hey, we're all human. My real concern is if this > > > something else, a hidden agenda, in that this "stupid disclosure" was > > > indeed, carefully planed. One can never have too many conspiracy > > > theories. Specially after what has been happening the last year. Thanks > > > for the clarification. > > > > Mark Cox claims that the reason OpenBSD was not told is because OpenBSD > > is not on the distros mailing list and if we were then "they'd be able > > to work with other distros on issues in advance." > > The distros and linux-distros lists are a good way to contact *some* > OS distributions and Amazon. > > http://oss-security.openwall.org/wiki/mailing-lists/distros > > But there are clearly a number of others for whom an OpenSSL bug > would have big impact who are not on that list (OS such as OpenBSD > and Apple, large scale hosting providers, etc). Many of these are > listed on the security contacts page on the wiki, and actually, the > page with information about sending to the distros list (which > submitters cannot ignore as it has the required pgp key) says: > > "Please notify upstream projects/developers of the > affected software, other affected distro vendors <link to > http://oss-security.openwall.org/wiki/vendors>, and/or > affected Open Source projects before notifying one of these > mailing lists in order to ensure that these other parties > are OK with the maximum embargo period that would apply."
