Way to cherry pick of a cherry picking. Theo meant he has no time to join yet another mailing list where OpenSSL security issues are very likely way less an 1% of the messages. Also, it's a Linux mailing list and he maintains a BSD distro, not much in common. I remember back in 98 he said he processed about 2500 emails a day (using a custom set of emacs macros). "I'm more an email processing system than a developer, sigh" (paraphrasing)
Why can't OpenSSL have an simple early warning list like most other major software packages. It's only adding one CC field.
It would be nice if he'd said that, rather than "Well, they just don't." which completely misrepresents the situation. AFAIK, he has never requested such a thing, anyway. The only requests I see come from third party apologists, not from him.
He just complains that they don't give him access, when in fact they offered him access.
> Theo meant he has no time to join yet another mailing list where OpenSSL security issues are very likely way less an 1% of the messages.
From the context, it sounds like he was asked to join a linux distro security mailer, which wouldn't make sense. Isn't there an OpenSSL mailer for this stuff?
There are two lists: linux-distros and distros, the latter including FreeBSD and NetBSD. (Why is OpenSolaris - or whatever it's called this year - not in there too?)
Nevertheless, it should be doable for OpenSSL to also mail LibreSSL; it is a bit of a special case, after all.
To me it seems mostly a difference in principles. If OpenSSL and others work with embargoes and LibreSSL/OpenBSD doesn't accept them, there is no solution that satisfies both sides.
The amount of mails sounds like a strange argument to me. I can't imagine that they couldn't find one of the regular consumers of the mailing list willing to pass relevant ones on, assuming it were clear that LibreSSL is an accepted recipient of the information.
That said, I don't expect much in the way of goodwill or willingness to compromise on any side here.
To me it seems mostly a difference in principles. If OpenSSL and others work with embargoes and LibreSSL/OpenBSD doesn't accept them, there is no solution that satisfies both sides.
Indeed, this is the main point, OpenBSD developers are proponents of full-disclosure:
Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work -- very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security.
> Also, it's a Linux mailing list and he maintains a BSD distro, not much in common.
No, you're thinking of linux-distros@. linux-distros@ is where issues that affect Linux only go. distros@ covers issues that are relevant to both BSD and Linux - distros@ membership is FreeBSD+NetBSD+linux-distros@.
Why can't OpenSSL have an simple early warning list like most other major software packages. It's only adding one CC field.