I received an inquiry about our errata process, so I'd thought clarify our policy for the community.
We don't have a rigid set of rules determining which fixes qualify for backported fixes, but we consider the following criteria. Patches are rare, so it's important that we retain some flexibility when dealing with them. 1. The impact of the bug. Does it affect integrity, confidentiality, or availability? A bug that permits compromise of a system is more severe than a bug that only permits a crash. 2. The accessibility of the bug. Is it in a network attached component, or restricted to local users? 3. The number of users affected. It's more important to patch bugs that affect all users than bugs in rarely used components. 4. The stability of the fix. Some fixes are more invasive than others. It's very important that errata do not introduce regressions that make things worse. We weigh these criteria against the work and disruption to end users. Ideally, patches are simple and safe and all users apply them as they come out. Users shouldn't be forced to pick and choose among the available errata. Publishing too many patches for minor issues results in unnecessary disruption. Sebastian Rother wrote: > Dear Theo, dear Ted... > > I write both of you to send you another e-Mail pointing out your > failures.... How dare you to not TAG Patches to a stables relase? > I talk about: http://marc.info/?l=openbsd-tech&m=142330022605888&w=2 > What are the reasons? LACK OF SUPPORT? Are you kidding me? Or is it more > to support your companies...? > > How dare you... to keep users you claim to protect, with "security in > mind" unprotected... > > You need a HowTo for CVS to tag it? Let me provide both of you a hand... > I write a summary up for you to enable you to TAG your patches! > > SECURITY WAS ONCE THE GOAL OF THE PROJECT... you retards. > YOU CLUSTERFUCK'ED IT FROM BEHIND... for what gain? Did any of you got > bought by the DARPA meanwhile? Maybe some "university project" Ted..? > > > > Sebastian > > p.s. > Mr. deRaadt: STFU: Ok? If you wont STFU, you as person or as project > (yes, this implies maybe also Ted), I gonna bitch with any of you at > conferences... I gonna take weapons like CVS Tags.... CVE codes you did > not patched and I gonna go depper and deeper.... and into any rabbit hole.. > > If you can't keep track of your own goals stop this project... > > -- > Name: Sebastian Rother > E-Mail: [email protected] > > GPG key: 0x7A1C7480 > Key fingerprint: FFD0 EF0A 48EB 890A F400 94E5 8D6B B65C 7A1C 7480 > > Mercenary Security GmbH > DregerhoffstraÃe 21h > D-12557 Berlin > > Handelsregister: Charlottenburg, Berlin > Handelsregisternummer: HRB 143173 B > Geschäftsführer: Sebastian Rother > > Phone: +49 030 50914741 > Homepage: https://www.mercenary-security.com/ > > Wichtiger Hinweis: Diese E-Mail und etwaige Anlagen können Betriebs- > oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen > enthalten. Sollten Sie diese Mail irrtümlich erhalten haben, ist Ihnen > der Status dieser E-Mail bekannt. Bitte benachrichtigen Sie uns in > diesem Fall sofort durch eine Antwortmail und löschen Sie diese E-Mail > nebst etwaigen Anlagen von Ihrem System. Ebenso dürfen Sie diese Mail > oder seine Anlagen nicht kopieren oder an Dritte weitergeben. > Vielen Dank. > > Please note: The information contained in this message may be legally > privileged and confidential and protected from disclosure. If the > reader of this message is not the intended recipient, you are hereby > anotified that any unauthorised use, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to the > message and deleting it from your computer. > Thank You.
