Fcc: +outbox
Subject: Re: that private mailing list (fwd) Solar Designer: Re: that private
mailing list
--------
I haven't even read this.
I don't care.
if this is the situation with open source disclosure, all of you
users are fucked.
------- Forwarded Message
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by cvs.openbsd.org (8.14.8/8.12.1) with SMTP id s564LjFg027340
for <dera...@cvs.openbsd.org>; Thu, 5 Jun 2014 22:21:46 -0600 (MDT)
Received: (qmail 19629 invoked from network); 6 Jun 2014 04:21:39 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
by localhost with SMTP; 6 Jun 2014 04:21:39 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
id 82DA048BCE; Fri, 6 Jun 2014 08:21:05 +0400 (MSK)
Date: Fri, 6 Jun 2014 08:21:05 +0400
From: Solar Designer <so...@openwall.com>
To: Theo de Raadt <dera...@cvs.openbsd.org>
Subject: Re: that private mailing list
Message-ID: <20140606042105.gb26...@openwall.com>
References: <201406052157.s55lvh7j020...@cvs.openbsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201406052157.s55lvh7j020...@cvs.openbsd.org>
User-Agent: Mutt/1.4.2.3i
Hi Theo,
I'll reply only in private first, because I am referring to the past
discussion we had in private and that you didn't want to be made public.
Also, please note that I wrote the below with no hard feelings, and I
don't mean to offend you. I am just being sincere and direct. I think
that is your preferred way to communicate, so I've adopted it. :-)
On Thu, Jun 05, 2014 at 03:57:43PM -0600, Theo de Raadt wrote:
> I only know parts. It sound like some people who claim they stand
> up for what is right really don't stand up for what is right.
I can't comment about OpenSSL folks, but my own impression certainly was
that you didn't want your project to be provided advance notification -
not only via distros list, but at all. Now you're saying you actually
wanted folks on your team to be notified, just not you personally. Hmm?
As you had mentioned to me in the private discussion when stu@ wanted to
get OpenBSD onto distros, you didn't want folks on your team to accept
any kind of embargo. I wish we had that discussion in public, as I had
suggested at the time. You objected to that. (And I understand that
with that discussion in public you might not have been willing to blame
some others in it, which would possibly hamper my understanding of your
position. So your objection did make some sense.) Now you appear to be
misinforming folks on your own team (I hope not intentionally) that
those evil people on distros list and OpenSSL maintainers deliberately
didn't want to notify you. You might be right about OpenSSL maintainers
(although I think you are not) - I just don't know, and can't speak for
them - but at least for me (as someone who was notified via distros
list) it appeared that you actually didn't want your team to be notified
in a manner that would impose any restrictions on when you can commit a
fix. So, believe it or not, it didn't even occur to me to put your
project in a position where your folks would be asked to accept an
embargo, which you didn't want.
Would you like me to suggest (to whoever reports an issue) that someone
on your team (who?) be notified next time an OpenSSL issue is brought up
on distros? (It doesn't have to be one person on your team - it can be
several. This is to address Bob's comment on your lists.) What about
issues in other projects (not OpenSSL)? Which other projects would you
also like notifications about?
It appears that you've made a (political) decision for your projects not
to join distros (or possibly any such channels in general), but are now
asking for people/projects to be notifying your folks anyway when
appropriate (whatever that means), and this is difficult for everyone.
How do you suggest we make things better (in whatever sense you like)
going forward?
/sd
------- End of Forwarded Message
