On 19 Aug 2016, Theo de Raadt wrote: (snip) > There is no juxtaposition.
I'm pretty sure that I managed to place the quotations side by side! > You are expecting a bunch of volunteers to do the massive job of > upgrading last-month's software -- and do it better than Google with > Android, or car manufacturers, or basically anything which contains > software. I don't expect anything of the sort. Please don't confuse what I actually said with your generic caricature of people. I'm sorry that you read my amusement as judging and sniping but that sneering's wholly in your head. I wouldn't be on this list at all were I not pretty impressed with the project. Though, I have a feeling that you might keep on seeing sniping in this response, so go ahead and have the last word after this: you need not fear my extending this subthread beyond it having plausible value in reducing confusion. > You are labelling "security" as purely "dealing with yesterday's bugs" > essentially for "customers" -- and we don't have customers. Not "purely" but in common parlance and practice I do regard prompt installation of fixes for "security flaws" as part of "security" in its usual sense, yes. That's why I was surprised by how "everyone is encouraged to use" packages that don't get such fixes and I assumed the lack of binary fixes to simply be a matter of having to allocate limited resources to other, more valuable, efforts, that the "everyone is encouraged" might just be worded too strongly. I now find that I may well be wrong, that it is a deeper philosophical issue: Thank you for your explanation of how the security discussed by one of the pages I quoted is specifically about a development mindset rather than being about some general concept of users' systems security: that explains why the quotes all make sense as a whole and it also fits with your laudable stance on W^X, etc. I already wrote elsewhere how I value how the project puts "solid engineering well ahead of adding features". You can understand why the average outsider reading through these public pages might be confused and read "security" more broadly though? Maybe it was just me. Indeed, I've not contributed much to OpenBSD. I do answer questions here where I can (which isn't often!) and I wrote up details of how I got OpenBSD running on my machines in the hope of helping other new users (and of course sent a dmesg) but, back to the optimal allocation of resources, mostly I use and contribute to FOSS according to my actual ability: with my being fairly new to running BSDs and having barely used C for years, I am sorry to agree that I don't offer OpenBSD much at present. But, on the other hand, just this week I contributed Java code to kryo-serializers and I've not even actually used that library myself yet: I figure it all balances out but of course you may reasonably think otherwise. I also occasionally contribute FOSS security fixes (e.g., one that got into this month's release of OMERO) and my thinking may be colored by the anxiety I sometimes feel in seeing people still running the vulnerable versions. Of course it helps that the OpenBSD release schedule has been fairly brisk so people certainly aren't encouraged to run /ancient/ packages. -- Mark
