Theo,
On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote:
> Kurt and Solar --
>
> You are the primary contacts for the oss-security email list.
Kurt is not. I guess the reason why you got such impression was because
Kurt invited you to join distros recently, not knowing that you had
chosen not to join (not just you personally, but OpenBSD) in the private
discussion we had in early 2012.
I don't know it for sure, but I guess the reasons why Kurt and not
someone else chose to (re-)invite OpenBSD included Kurt's past positive
interactions with OpenBSD (e.g., I recall how he was welcome to work in
the OpenBSD tent at HAL2001) and that he's an active participant on the
distros list. He was just trying to help.
I am hosting the oss-security (public), and distros and linux-distros
lists (private). So I am administrative contact for these lists.
Additionally, this means that if the community starts asking for things
I have strong feelings against, or I feel the private lists are causing
more harm than they provide benefit (a tough balance, and there's no
clear way to measure it), I may stop hosting the lists (this is why they
stay "experimental" - perhaps permanently so, although we might
adjust/remove the wording if it confuses people).
Now to your specific questions:
> Are you are aware of any operating system, product suppliers, or
> service providers who were notified early by OpenSSL... but are not
> found on the private mailing list?
I am only aware of what's in the timeline you already saw (the one I
posted to oss-security, taken from Mark Cox's Google+ post). Per that
timeline, yes, there were notifications beyond distros list members:
2014-06-02 CERT/CC notify their distribution list about the security
update but with no details
2014-06-03 "ops-trust" (1015) and selected OpenSSL Foundation
contracts (0820) are told a security update will be
released on 2014-06-05 but with no details
We (Openwall) did receive a notification from CERT/CC (with no detail,
as the timeline correctly says).
As to whether/why OpenBSD wasn't notified by CERT/CC, I don't know.
> I think it would be poor style to ask for specific names, but a
> vague statement confirming or denying things would be nice.
I don't even know any specific names of additional vendors CERT/CC might
have notified, and I don't know who's "ops-trust" and "selected OpenSSL
Foundation contracts". So the above is as specific as I have.
> There are claims that attendance on your private email list is
> required & sufficient for early disclosure from OpenSSL.
Per the above, it appears not to be the only way. As to it being
sufficient, I don't know what OpenSSL team's intent is - it is up to
them who and what lists to disclose to. To me, it does appear likely
that they will continue notifying the distros list, but this is not any
sort of authoritative answer since I'm not with OpenSSL.
> Thanks in advance for any clarity you can supply to this question.
I hope the answers above help.
Alexander
