And while I will reiterate, stop mailing us privately and asking, I can confirm that the situation has changed, and core LibreSSL developers have now had disclosure from OpenSSL. We will be keeping discusssion of all details strictly to that group until such time as OpenSSL releases publicly.
-Bob On Mon, Mar 16, 2015 at 2:52 PM, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > Please people stop mailing me privately and asking. (Probably bugging > other people in the group as well). > > The OpenSSL group do not tell the LibreSSL group about vulnerabilities > that they are fixing in upcoming releases. > > Why? Well, they just don't. That's the whole story. > > Hopefully the LibreSSL team has been aggressive enough at cleaning > house, and the issue is already resolved in LibreSSL. > > Wait and see.
