On 2014/06/05 20:43, Martin, Matthew wrote: > > That's exactly my though. Specially, because FreeBSD and NetBSD were > > warned, but not OpenBSD. If this was only a rant or any childish > > behavior from them, it's something stupid and, of course, not the right > > thing to do. But hey, we're all human. My real concern is if this > > something else, a hidden agenda, in that this "stupid disclosure" was > > indeed, carefully planed. One can never have too many conspiracy > > theories. Specially after what has been happening the last year. Thanks > > for the clarification. > > Mark Cox claims that the reason OpenBSD was not told is because OpenBSD > is not on the distros mailing list and if we were then "they'd be able > to work with other distros on issues in advance."
The distros and linux-distros lists are a good way to contact *some* OS distributions and Amazon. http://oss-security.openwall.org/wiki/mailing-lists/distros But there are clearly a number of others for whom an OpenSSL bug would have big impact who are not on that list (OS such as OpenBSD and Apple, large scale hosting providers, etc). Many of these are listed on the security contacts page on the wiki, and actually, the page with information about sending to the distros list (which submitters cannot ignore as it has the required pgp key) says: "Please notify upstream projects/developers of the affected software, other affected distro vendors <link to http://oss-security.openwall.org/wiki/vendors>, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply."
