On Thu, 21 Jun 2018 13:07:23 -0600
> Kevin Chadwick <[email protected]> wrote: > > > My point was that signing up in the first > > place should be criticised, if anything. > > So you criticize our previous involvement in embargos where it was > neccessary? I think you had little choice because of an incorrect established procedure. In fact, the KRACK case showed that OpenBSD patched well before many others and many phones are still unpatched. The embargo did not help others patch before release or allow users to avoid and warn about certain use cases of Bluetooth and WIfi as soon as possible (many months). embargos create the idea that testing is more important than security with Lenovos purchase of Motorola they now say we promise oreo even though you are missing 6 separate months of android security patches and the newer phones have less security patches than the older ones. Some people say I shall update later I just want to browse and it can take a week for Windows to update because Windows don't want to get in the way. Some say don't patch on patch release day. Others patch and avoid browsing until it is patched. It should be upto us to do what we can as soon as possible and not hope some bad guy won't pay for information or work things out quicker. Would it be faster to patch in open source if everything was public and are emails secure? > > Even in the situations where it took > a week to write a fix? > Yes especially when the plan was a month plus embargo and who knows how many weeks earlier people could have been told. Is it feasible that code could be run on cloud systems (patched early) to search for OS differences and hints on secret fixes. > Everyone can tell that you are wrong. Adults will make those > decisions on a case by case basis. > > You really should just say sorry and drop it. I can't if I disagree but I apologise for lack of clarity on the embargo existence/honouring front.
