I'll top-post this one time, to quote Chris' message in its entirety.
I've dropped the CC to secur...@redhat.com - it felt too spammy to be
sending them this. I've added Kurt, who is already involved in the
discussion.
Theo -
Thank you for (apparently) forwarding my reply to your team. I was
uncomfortable about not being able to refer to that private discussion
in the thread you started on your lists. Somehow I don't see that
message appearing on your lists, though? Luckily, Chris quoted most of
that one message, so at least that portion is now public.
Chris, the answer to your "really?" and "seriously?" is "yes, really and
seriously". I am being sincere.
I'll now proceed to provide replies to specific questions address to me
in other messages.
On Thu, Jun 05, 2014 at 10:10:57PM -0700, Chris Cappuccio wrote:
> Theo de Raadt [dera...@cvs.openbsd.org] wrote:
> > From: Solar Designer
> > To: Theo de Raadt
> >
> > Hi Theo,
> >
> > I can't comment about OpenSSL folks, but my own impression certainly was
> > that you didn't want your project to be provided advance notification -
> > not only via distros list, but at all. Now you're saying you actually
> > wanted folks on your team to be notified, just not you personally. Hmm?
>
> Really?
>
> Let's see it. I'm questioning your judgment after reading the next bit.
>
> > As you had mentioned to me in the private discussion when stu@ wanted to
> > get OpenBSD onto distros, you didn't want folks on your team to accept
> > any kind of embargo. I wish we had that discussion in public, as I had
> > suggested at the time. You objected to that. (And I understand that
> > with that discussion in public you might not have been willing to blame
> > some others in it, which would possibly hamper my understanding of your
> > position. So your objection did make some sense.) Now you appear to be
> > misinforming folks on your own team (I hope not intentionally) that
> > those evil people on distros list and OpenSSL maintainers deliberately
> > didn't want to notify you. You might be right about OpenSSL maintainers
> > (although I think you are not) - I just don't know, and can't speak for
> > them - but at least for me (as someone who was notified via distros
> > list) it appeared that you actually didn't want your team to be notified
> > in a manner that would impose any restrictions on when you can commit a
> > fix. So, believe it or not, it didn't even occur to me to put your
> > project in a position where your folks would be asked to accept an
> > embargo, which you didn't want.
> >
>
> This reads like some kind of strange combination of arbitrary logic
> and reasoning to justify this in your own mind.
>
> Firstly, an "embargo" is crap and you know it. That implies a formal
> process with contracts and legal implications. (More plainly, did YOU sign?)
>
> A heads-up from OpenSSL to the key people is all it would have taken.
> (Sorry, I guess that's only appropriate when those key people aren't aiming
> at improving their shitty product.)
>
> > Would you like me to suggest (to whoever reports an issue) that someone
> > on your team (who?) be notified next time an OpenSSL issue is brought up
> > on distros? (It doesn't have to be one person on your team - it can be
> > several. This is to address Bob's comment on your lists.) What about
> > issues in other projects (not OpenSSL)? Which other projects would you
> > also like notifications about?
> >
> > It appears that you've made a (political) decision for your projects not
> > to join distros (or possibly any such channels in general), but are now
> > asking for people/projects to be notifying your folks anyway when
> > appropriate (whatever that means), and this is difficult for everyone.
> >
> > How do you suggest we make things better (in whatever sense you like)
> > going forward?
> >
>
> Seriously?
>
> I think the situation here is PLAINLY OBVIOUS.
>
> Here in the real world, key OpenBSD members should be trusted to
> do the RIGHT THING in a typical situation like this.
>
> This isn't the first time this has happened nor the last time it will.
>
> Hopefully next time someone has common sense.
>
> I think we can all agree, OpenSSH has been successful at mitigating
> this same kind of problem with ALL of the other players.
>
> Maybe you need some coffee?
>
> Chris