I've dropped CC to secur...@redhat.com, secur...@yandex.ru from this reply, because I don't feel like spamming them. I kept the CC to to...@yandex-team.ru, who I know is an OpenBSD user.
On Thu, Jun 05, 2014 at 10:57:56PM -0600, Theo de Raadt wrote: > Solar and Kurt, a few questions: I think you shouldn't be addressing these to Kurt - at least not any more than to anyone else who's active on oss-security and distros. > Your one-word answers to the following questions will decide your > reputation regarding open source security, my reputation regarding > open source security, or the reputation of others. I participate in this discussions primarily for reasons unrelated to anyone's reputation. I think it's impossible to provide useful yes/no answers to your questions, but since you asked for those so explicitly, I'll try to provide both (mostly useless) yes/no answers (based on formal interpretation of your questions), as well as hopefully more useful longer answers. > 1. Was full and complete advance disclosure of this issue > managed via your list? > > Answer yes or no. One word. "Yes", assuming that the word "managed" applies to Mark's notification that we can request the full detail from him explicitly. > 2. Previous to this morning, were you aware that OpenBSD was not > receiving this information? > > Answer yes or no. One word. "No", I was not aware, but given our past discussion I (personally) thought you wouldn't want to receive it under an embargo. So frankly even if I were aware, I would probably not be alarmed if I heard that you were not being notified. I think this will be different now that you seem to have expressed a different preference. > 3. In your hearts, do you believe that a subtantial subset of open source > OS users, via their vendor contacts, should ever accept a late delivery > of information for any reason? > > Answer yes or no. One word. I wish it could have been a "no", but that's too idealistic. So it's arguably "yes", because the world is large and not perfect, and sometimes balanced decisions need to be made - e.g., I respect one's preference not to be subjected to an embargo vs. giving them a chance to prepare for the public disclosure in advance. I guess your users care not only about receiving security patches timely, but also about your position on larger issues - such as whether embargoes should even exist. I wouldn't be surprised if a substantial subset of your users (so a subset of a subset of the open source software users at large) would accept a delayed patch for the reason of OpenBSD maintaining a stance against advance notifications (if you/they believe those are more bad than good). Especially given that OpenBSD is able to patch issues really fast, and the delay ends up being small. So your decision (or so I thought) not to receive advance notification didn't sound too unreasonable to me (for your project). > 4. Were you party to a late disclosure to OpenBSD? > > Answer yes or no. One word. Are you asking if I contributed to the disclosure to OpenBSD being late? By my inaction, "yes", and I've explained why I did not act. The same could apply to anyone else who was notified in advance, but did not ask for a notification to OpenBSD to be made. I do accept that my responsibility may be greater due to me hosting the distros list. > I wish it wasn't this way, but when were OpenBSD users asked their > point of view regarding their security? I don't know. I guess it's primarily your task, as a leader, to ask them how they'd like the balance between "timely patches" and "anti-embargo stance" adjusted. > Right now, I am asking for an account of who caused them to not know > at the same time as others. There were multiple events leading to this. In my case, the most important event was that Jan-Feb 2012 discussion we had - but this definitely doesn't explain why others did not notify you. Alexander
