> Would you like me to suggest (to whoever reports an issue) that someone > on your team (who?) be notified next time an OpenSSL issue is brought up > on distros?
Solar and Kurt, a few questions: Your one-word answers to the following questions will decide your reputation regarding open source security, my reputation regarding open source security, or the reputation of others. 1. Was full and complete advance disclosure of this issue managed via your list? Answer yes or no. One word. 2. Previous to this morning, were you aware that OpenBSD was not receiving this information? Answer yes or no. One word. 3. In your hearts, do you believe that a subtantial subset of open source OS users, via their vendor contacts, should ever accept a late delivery of information for any reason? Answer yes or no. One word. 4. Were you party to a late disclosure to OpenBSD? Answer yes or no. One word. Kurt and Solar, I am aware I am including people you have business with. I hope you realize that this is the day you are called to tell the truth or tell a lie. It happens to us all. Lack of an answer will judge you, worse than inaction from me. That is why I am sending this mail. I wish it wasn't this way, but when were OpenBSD users asked their point of view regarding their security? Right now, I am asking for an account of who caused them to not know at the same time as others.