Hi, One would have to point out that though they haven't released anything specific yet, they say that they will, and there are real reasons for not telling the world without providing sufficient warning to get systems at least partially protected. Sure that might be in some ways inconsistent with their stated policy but if they do release all the information next week (as I think they have said they will) then (probably) they have gone about it in as good a way as they could really be expected to. As I understand it, the normal way for vendors to do this would have been to wait until next week before saying anything at all. Probably that would have been a clearer course of action as we wouldn't know about it until a fix was available. No nervous week of waiting, but also an extra week with a 'known' and presumably very serious security whole in all our systems. I don't like either of those options, but I'm inclined to think that being given an opportunity to do preemptive damage control is a Good Thing.
On the other hand I agree with you entirely about Theo. He is my only problem with the OpenBSD project. Tim On Tue, Jun 25, 2002 at 12:40:44PM +0200, Robert van der Meulen wrote: > > Quoting Paul Haesler ([EMAIL PROTECTED]): > > Doesn't OpenBSD have a full-disclosure policy anyway? > > It has 'listen to theo or fuck off' disclosure policy, which basically means > you have to do what theo says, and no matter what you do, you'll end up with > problems and bitching, and disclosure is only done when it doesn't affect > openbsd (or the '5 years without..' line on openbsd.org). > > Greets, > Robert > -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED] || Dunedin, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 113 0399 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
