Alexander,
I'd like to thank you for taking the time to answer Theo's questions,
the further advice you've given here, for your patience and the work
that you do overall.
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
On Sat, 7 Jun 2014 14:19:33 +0400
Solar Designer so...@openwall.com wrote:
On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote:
On Sat, 7 Jun 2014 07:04:47 +0400
Solar Designer so...@openwall.com wrote:
Being on the distros list is not mandatory to receive advance
On Sun, Jun 08, 2014 at 10:38:50AM +0200, Francois Ambrosini wrote:
I am a mere user who happened to spot an inconsistency and wanted to
inform all parties.
I appreciate the constructive nature of your messages.
I will not comment on your guesses and opinions with information I do
not have.
On Fri, Jun 06, 2014 at 10:26:48AM +0400, Solar Designer wrote:
On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote:
Kurt and Solar --
You are the primary contacts for the oss-security email list.
Kurt is not.
Sorry for going slightly off-topic, since this is not an OpenBSD
Em 07-06-2014 00:04, Solar Designer escreveu:
tools and ethics are separate things
It seems like you got to the real issue now.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
On Sat, 7 Jun 2014 07:04:47 +0400
Solar Designer so...@openwall.com wrote:
To clarify and for the record:
Being on the distros list is not mandatory to receive advance
notification of security issues. The list is just a tool. People
reporting security issues to the distros list are
On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote:
On Sat, 7 Jun 2014 07:04:47 +0400
Solar Designer so...@openwall.com wrote:
Being on the distros list is not mandatory to receive advance
notification of security issues. The list is just a tool. People
reporting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I do not believe that they, are specifically ignoring OpenBSD, I believe
they are ignoring the BSDS in general. Perhaps someone notified FreeBSD
but nobody notified the DragonflBSD team either.
On 06/05/2014 09:27 PM, Theo de Raadt wrote:
There are
To clarify and for the record:
Being on the distros list is not mandatory to receive advance
notification of security issues. The list is just a tool. People
reporting security issues to the distros list are encouraged to also
notify upstream projects/developers of the affected software, other
We are sorry that the errata for these libssl security issues are not
up yet.
The majority of these issues are in our ssl library as well.
Most other operating system vendors have patches available, but that
is because they were (obviously) given a heads up to prepare them over
the last few
Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu:
We are sorry that the errata for these libssl security issues are not
up yet.
The majority of these issues are in our ssl library as well.
Most other operating system vendors have patches available, but that
is because they were
Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu:
We are sorry that the errata for these libssl security issues are not
up yet.
The majority of these issues are in our ssl library as well.
Most other operating system vendors have patches available, but that
is because they were
Em 05-06-2014 15:57, Theo de Raadt escreveu:
Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu:
We are sorry that the errata for these libssl security issues are not
up yet.
The majority of these issues are in our ssl library as well.
Most other operating system vendors have patches
There are two main open-source processes for dealing with discovery of
security issues and disclosure of that information to the greater
community.
- One common process is that generally followed by OpenBSD. In this
proocess a bug is found, and a fix is commited as soon as the
improvement is
Em 05-06-2014 16:27, Theo de Raadt escreveu:
There are two main open-source processes for dealing with discovery of
security issues and disclosure of that information to the greater
community.
- One common process is that generally followed by OpenBSD. In this
proocess a bug is found, and
Now you have and example of how they are unwilling to work with you next
time someone asks why not work with OpenSSL on fixing it. Pretty direct
proof.
The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE.
We believe in peer review; they don't give a sh*t about it (as shown
less
On Thu, Jun 05, 2014 at 08:02:58PM +, Miod Vallat wrote:
If you can't trust people to apply one-liner fixes correctly, can you
trust them for anything serious?
I really don't like to point fingers, but...
It is done by the same people that introduced
the Debian random number bug back in
Is clear that the second process -- intending to also take an ethical
path for disclosure -- should not specifically exclude a part of the
community.
They specifically exclude parts of the community that specifically
say they don't want to be INCLUDED.
See:
That's exactly my though. Specially, because FreeBSD and NetBSD were
warned, but not OpenBSD. If this was only a rant or any childish
behavior from them, it's something stupid and, of course, not the right
thing to do. But hey, we're all human. My real concern is if this
something else, a
That's exactly my though. Specially, because FreeBSD and NetBSD were
warned, but not OpenBSD. If this was only a rant or any childish
behavior from them, it's something stupid and, of course, not the right
thing to do. But hey, we're all human. My real concern is if this
something else,
Not saying I believe or disbelieve him, but it can't hurt to join even
if it is only until 5.6 comes out.
Another way to phrase this is
The OpenBSD user community should accept they have suffered
because Theo declined an invitation to a private email list,
entirely unrelated to the
We are not on a linux distros mailing list, because we are not a linux
distribution. And this private mailing list is not really an
acknowledged conduit for vulnerability release.
I was asked by someone privately if *I* would be on that mailing list
on June 2nd.
I said I would consider it, but
Em 05-06-2014 19:43, Bob Beck escreveu:
For the record, we didn't get advance notice of Heartbleed either, so
this is nothing new.
Bob,
I didn't knew that. I feel like I've released a monster (Cthulhu
anyone?). I was just curious when I asked Theo if this did happened
before. It's possible
On 2014/06/05 20:43, Martin, Matthew wrote:
That's exactly my though. Specially, because FreeBSD and NetBSD were
warned, but not OpenBSD. If this was only a rant or any childish
behavior from them, it's something stupid and, of course, not the right
thing to do. But hey, we're all human.
I may also remind people that those lists are acknowledged right at the top
as experimental. They also do not allow for non personal subscriptions, so
they aren't very practical for this. What if I was away for a day or
three.. Or more.. Essentially this is a nice experiment, but not really a
I suggest you talk to Mark Cox who actually handled this stuff. I'm not
sure why you are asking two people (myself and Solar) who are NOT part of
the OpenSSL team about whom the OpenSSL team notified.
Kurt, if Mark Cox is the person who handled this stuff, fine. Who
cares? I am hearing
Miod Vallat [m...@online.fr] wrote:
Now you have and example of how they are unwilling to work with you next
time someone asks why not work with OpenSSL on fixing it. Pretty direct
proof.
The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE.
We believe in peer review;
27 matches
Mail list logo
