Sebastian's emails don't make it to the list, but in the interest of transparency and not hiding any secrets about OpenBSD's security, I'm forwarding it along as requested.
I'm not going to comment further except to say that my mom's OpenBSD laptop does not have linux compat enabled. Sebastian Rother wrote: > On 08.02.2015 02:47, Ted Unangst wrote: > > I received an inquiry about our errata process, so I'd thought clarify our > > policy for the community. > > > > Yes, and I stand FIRM to this... > I please you to forward this e-Mail as well compleltyl because I I gonna > explain a littlebit mre (NO persoNAL BITCHING)). > > > We don't have a rigid set of rules determining which fixes qualify for > > backported fixes, but we consider the following criteria. Patches are rare, > > so > > it's important that we retain some flexibility when dealing with them. > > > > I gonna answer to each point. > > > 1. The impact of the bug. Does it affect integrity, confidentiality, or > > availability? A bug that permits compromise of a system is more severe than > > a > > bug that only permits a crash. > > Once, there was a PF BUG.... > To make a Story short: Please do NOT judge "some class bugs" > differently. Even a NULL POINTER can be serious ok? (AT ALL OF YOU!!!!) > If you don't know why I offer you (that is seriously!) some training in > C Coding practices might be required...... > > A NULL POINTER AINT "nothing to care about".... it is a serious SEC RISK > POSSIBLY and you gonna need to invite guys who know ASSEMBLY A LOT AND > CO... (I would partly trust Miod here, more Solar *sorry Miod*..)! > > > > > 2. The accessibility of the bug. Is it in a network attached component, > > or restricted to local users? > > LIKE PF.. back then? > NOBODY USES PF BY DEFAULT NOW.. or? *ahem*.. > > > 3. The number of users affected. It's more important to patch bugs that > > affect all users than bugs in rarely used components. > > That is of no concern! Be it just one who was affected: it's worth to > handle it. > Otherwise fashims like the one Cris populates might take over... > NOBODY is more or LESS worth... no Project is MORE OR LESS worth... > Consider the affected user being your mother... > > So take ANY reported BUG seriously... but please let me crititic the rly > serious stuff... > > > 4. The stability of the fix. Some fixes are more invasive than others. It's > > very important that errata do not introduce regressions that make things > > worse. > > FUCK IT... rly. > If the "compatibility" breaks security, then the compatibility needs to > loose... > > I advised the "LibreSSL" guys serval this way too.. they do not yet > completly "listen"... I opened even 1-2 Tickets.... so I am save to > claim this. > > > > We weigh these criteria against the work and disruption to end users. > > Ideally, > > patches are simple and safe and all users apply them as they come out. Users > > shouldn't be forced to pick and choose among the available errata. > > Publishing > > too many patches for minor issues results in unnecessary disruption. > > > > OK, now I get HARD... > > > You did not backported LibreSSL Patches, Xorg Patches... should I named > OTHERS... JUST FOR STABLE? Let me KNOW? I GONNA READ THE CVS LOG, like > anyone could do! > > THAT IS WHAT I CRITIC... OK? If you feel that I insult you personaly, I > im deeply sorry Ted... BUT THIS PROJECT NEDS TO REREOUTE..... > > Most of the DEVS you kept are there for FAME... not because they like to > "serve" or "provide" something. Be it Henning or others.. > > OpenBSD is not just THEO... and Theo fucked some guys even off... > And hell.. as I would do better.. no I don't.. I am just not even as > "polite" as Theo... I am asbolute... > > YOU guys (OpenBSD Devs.., ALL OF YOU.. feel uniquely offended if that > UNITES YOU) stand at conferences and claim to have some UBERPPROJECTS, > be it LibreSSL, OpenBSD (your USB STACK IS STILL A JUNKYARD; AND NOOOOO > I WONT HELP, srly..) or any of your Daemons (openhttpd...)... > > > So what do you critisize me for? Why do I get personal offending? > And Ted: if you respect my answer please do report it... >MY< e-Mail > gets filtere dbecause the same fashism applies wich influenced > undeadly... CRITIC... aint allowed... > > Openly said: if this e-mail wont get forwared, because I banned to write > a mail there... you do me a favour..... > > > I did not and NEVER, offended yourself... > I OFFEND the project goals currently... and I like to "correct" it. > No matter if Theo loves it or not... SECURITY first, I told you like 10 > yrs about the RNG... but hey I was a moron.. told you about PF... USB > stack.. netinet.. and still I am "Fucktard" (related to Theo).. > > I donated crucical HW related to the MAIN CVS as it was required... > And I did not so.. to get in love with Theo.... > > > Ted, it's up to u.. you made it public. Plese keep me involved then. > > Kind regards, > Sebastian Rother > > > > > Sebastian Rother wrote: > >> Dear Theo, dear Ted... > >> > >> I write both of you to send you another e-Mail pointing out your > >> failures.... How dare you to not TAG Patches to a stables relase? > >> I talk about: http://marc.info/?l=openbsd-tech&m=142330022605888&w=2 > >> What are the reasons? LACK OF SUPPORT? Are you kidding me? Or is it more > >> to support your companies...? > >> > >> How dare you... to keep users you claim to protect, with "security in > >> mind" unprotected... > >> > >> You need a HowTo for CVS to tag it? Let me provide both of you a hand... > >> I write a summary up for you to enable you to TAG your patches! > >> > >> SECURITY WAS ONCE THE GOAL OF THE PROJECT... you retards. > >> YOU CLUSTERFUCK'ED IT FROM BEHIND... for what gain? Did any of you got > >> bought by the DARPA meanwhile? Maybe some "university project" Ted..? > >> > >> > >> > >> Sebastian > >> > >> p.s. > >> Mr. deRaadt: STFU: Ok? If you wont STFU, you as person or as project > >> (yes, this implies maybe also Ted), I gonna bitch with any of you at > >> conferences... I gonna take weapons like CVS Tags.... CVE codes you did > >> not patched and I gonna go depper and deeper.... and into any rabbit hole.. > >> > >> If you can't keep track of your own goals stop this project... > >> > >> -- > >> Name: Sebastian Rother > >> E-Mail: [email protected] > >> > >> GPG key: 0x7A1C7480 > >> Key fingerprint: FFD0 EF0A 48EB 890A F400 94E5 8D6B B65C 7A1C 7480 > >> > >> Mercenary Security GmbH > >> DregerhoffstraÃe 21h > >> D-12557 Berlin > >> > >> Handelsregister: Charlottenburg, Berlin > >> Handelsregisternummer: HRB 143173 B > >> Geschäftsführer: Sebastian Rother > >> > >> Phone: +49 030 50914741 > >> Homepage: https://www.mercenary-security.com/ > >> > >> Wichtiger Hinweis: Diese E-Mail und etwaige Anlagen können Betriebs- > >> oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen > >> enthalten. Sollten Sie diese Mail irrtümlich erhalten haben, ist Ihnen > >> der Status dieser E-Mail bekannt. Bitte benachrichtigen Sie uns in > >> diesem Fall sofort durch eine Antwortmail und löschen Sie diese E-Mail > >> nebst etwaigen Anlagen von Ihrem System. Ebenso dürfen Sie diese Mail > >> oder seine Anlagen nicht kopieren oder an Dritte weitergeben. > >> Vielen Dank. > >> > >> Please note: The information contained in this message may be legally > >> privileged and confidential and protected from disclosure. If the > >> reader of this message is not the intended recipient, you are hereby > >> anotified that any unauthorised use, distribution or copying of this > >> communication is strictly prohibited. If you have received this > >> communication in error, please notify us immediately by replying to the > >> message and deleting it from your computer. > >> Thank You. > > > -- > Name: Sebastian Rother > E-Mail: [email protected] > > GPG key: 0x7A1C7480 > Key fingerprint: FFD0 EF0A 48EB 890A F400 94E5 8D6B B65C 7A1C 7480 > > Mercenary Security GmbH > DregerhoffstraÃe 21h > D-12557 Berlin > > Handelsregister: Charlottenburg, Berlin > Handelsregisternummer: HRB 143173 B > Geschäftsführer: Sebastian Rother > > Phone: +49 030 50914741 > Homepage: https://www.mercenary-security.com/ > > Wichtiger Hinweis: Diese E-Mail und etwaige Anlagen können Betriebs- > oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen > enthalten. Sollten Sie diese Mail irrtümlich erhalten haben, ist Ihnen > der Status dieser E-Mail bekannt. Bitte benachrichtigen Sie uns in > diesem Fall sofort durch eine Antwortmail und löschen Sie diese E-Mail > nebst etwaigen Anlagen von Ihrem System. Ebenso dürfen Sie diese Mail > oder seine Anlagen nicht kopieren oder an Dritte weitergeben. > Vielen Dank. > > Please note: The information contained in this message may be legally > privileged and confidential and protected from disclosure. If the > reader of this message is not the intended recipient, you are hereby > anotified that any unauthorised use, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to the > message and deleting it from your computer. > Thank You.
