On Sun, Jun 08, 2014 at 10:38:50AM +0200, Francois Ambrosini wrote: > I am a mere user who happened to spot an inconsistency and wanted to > inform all parties.
I appreciate the constructive nature of your messages. > I will not comment on your guesses and opinions with information I do > not have. I'll just state that I find your interpretation of the quote > from the OpenSSL wiki rather optimistic, It's not interpretation of the quote from their wiki. It's what I think they may and should do next time, given the circumstances, and an observation that the specific wording on the wiki technically does not contradict that. > and give you the additional > hint that a public statement from Mark Cox on Google+ goes against it > (check the "timeline" post). On the contrary, the timeline shows that distros wasn't the only place OpenSSL sent a notification to. It also lists CERT/CC, "ops-trust", and "selected OpenSSL Foundation contracts". So OpenSSL did have an additional list of who to notify at that time. I think they may have such a list next time as well, and they may include LibreSSL on it. > I humbly think it was (and is) not the right time for guesses and I > must confess my surprise at your response. I would have thought that, > with the new responsibility given to the "distro" list, you would want > to check with the OpenSSL people first. I think I am in a better position to politely put light pressure on OpenSSL by stating my opinion publicly - namely, suggesting that they notify LibreSSL next time - regardless of how exclusive or not their planned use of the distros list might have been. I especially don't want to end up receiving any non-public information on their decision-making on who and how to notify, at which point I'd have to choose between two evils: reveal something they might disclose to me as (implied or stated) confidential or not informing you and the general public of that something if it's relevant to this discussion. As you can see, I've CC'ed this and the message you replied to, to Mark Cox, who managed OpenSSL's recent notification to distros list. I don't expect Mark to comment, but I'd like him to be aware. Mark - I hope you understand and agree with my position on this, as well as my reasoning for not coordinating this with OpenSSL in private first. Alexander
