Karl O. Pinc wrote: > > On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: > > 2007/3/13, Theo de Raadt <[EMAIL PROTECTED]>: > >> This means everyone should have our latest patches installed. > > > Just a reminder: security-announce exists for messages like > this. Use > > it or delete it. > > > > While the bug is bad, the handling of it is even worse. > > I agree. I'm very annoyed that I have to read about this > problem on slashdot. The misc list is not the right place > for this announcement, some low-traffic announce list that > goes right into my inbox is where this stuff belongs. > I rely on having a clear channel for security related problems. > > OpenBSD's excellent reputation is what allows me to sell it > to my clients, which allows me to work with OpenBSD. I've > always used the proactive, transparent, and forthright tone > of OpenBSD related communication as a selling point. This is > the first time I've felt let down and I hope it's the last. > > I realize we get what we get from the OpenBSD project, and > I've certainly gotten a lot more than I've put into it. The > response and and announcement latency has always been great, > with a low signal to noise ratio. > My high expectations have always been met and that's what > makes this communication breakdown hurt. It's not the > magnitude of the security vulnerability that's the problem. > > Problems communicating patch availability lead to security > problems as severe as unpatched vulnerabilities. Therefore > communication problems deserve the degree of acknowledgment > and resolution accorded to bugs in the code. > > Regards, > > Karl <[EMAIL PROTECTED]> > Free Software: "You don't pay back, you pay forward." > -- Robert A. Heinlein >
1) JUMP! 2) HOW HIGH? Do you REALLY want to play that game? If the security is real and is actually proactive Seems like you shouldn't have to play that game. Is the bug actually serious in practice? Are you actually safer with the bug fixed? My gut feel is that the next unsung fix will actually make more difference to how secure the resulting system is. This is from a kibitzer, BUT I can guarantee that the security of OpenBSD is NOT due to panic attacks of trying to keep up with the latest security breaches.
