On 03/14/2007 09:13:19 AM, Martin Schrvder wrote:
2007/3/13, Theo de Raadt <[EMAIL PROTECTED]>:
This means everyone should have our latest patches installed.
Just a reminder: security-announce exists for messages like this. Use
it or delete it.
While the bug is bad, the handling of it is even worse.
I agree. I'm very annoyed that I have to read about this
problem on slashdot. The misc list is not the right place
for this announcement, some low-traffic announce list that
goes right into my inbox is where this stuff belongs.
I rely on having a clear channel for security related
problems.
OpenBSD's excellent reputation is what allows me to
sell it to my clients, which allows me to work with
OpenBSD. I've always used the proactive, transparent, and
forthright tone of OpenBSD related communication as
a selling point. This is the first time I've felt
let down and I hope it's the last.
I realize we get what we get from the OpenBSD project,
and I've certainly gotten a lot more than I've put
into it. The response and and announcement latency
has always been great, with a low signal to noise ratio.
My high expectations have always been met and that's what makes
this communication breakdown hurt. It's not the
magnitude of the security vulnerability that's
the problem.
Problems communicating patch availability lead
to security problems as severe as unpatched
vulnerabilities. Therefore communication problems
deserve the degree of acknowledgment and
resolution accorded to bugs in the code.
Regards,
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
