easy, Theo. I actually very much agree with you, and had not intended to stir anything up here. If users wish to get involved in an attempt (regardless of how hopeless) to encourage third parties to cooperate with OpenBSD developers, then you can certainly abstain from enabling that kind of help if you so choose. However, I wouldn't assign any malice to those seeking information that might enable them to do so.
I think perhaps you have an inflated impression of my expectations of OpenBSD and its dev team. So far, *my* expectations have always been met, and even if they were not, I wouldn't hold it against you or your team anyway. I understand the design philosophy behind "we make it for ourselves, and if you find it useful, go ahead and use it." However, if the users who buy the hardware pressure the hardware manufacturers to cooperate with OpenBSD devs, they can be quite helpful to the process. On Wed, Jul 9, 2008 at 12:19 PM, Theo de Raadt <[EMAIL PROTECTED]> wrote: >> I'm not one to condone shitty attitudes. >> >> However, I think in this case it's unfair to claim that one can have >> no expectations of OpenBSD with regards to security patches. If I >> could have no such expectations, I would not use OpenBSD in the first >> place. > > Then don't. > >> I have these expectations based on a very impressive security >> history for which the OpenBSD developers deserve much in the way of >> praise. > > And we will continue to try to stay ahead of the curve. But please, > bear with me, because I see you want to talk about expectations. > Sure, let's talk about them. > > First off, in this case just like in some other cases, you can > _expect_ to wait for a proper OpenBSD patch, since we are not solving > this by using the ISC solution. There are reasons, and they are our > private reasons. > > Meanwhile, I _expect_ that our developers will do a proper job, on > their own time schedule. > > I also _expect_ that it will be the best solution to the problem. > > I don't _expect_ that any pressure from our users will change their > process at all. > > I don't _expect_ that any of this will change any of the attitudes of > people out there who are natural assholes, through and through, living > lives of vocal _expectation_ without anything else to back them up. > > I don't _expect_ that any of them will go run some other operating > system, either. I don't _expect_ that I would care if they did. > > I _expect_ they will remain assholes tomorrow, and next week, and next > year too. > > I don't _expect_ that any of those whiners have the skills to simply > go and get the stock bind from ISC themselves, install it on their > openbsd systems, and undo all the other hard work we've done in this > area. I _expect_ that these people have difficulty running make. > > I _expect_ that our developers will do the best job. And I don't > _expect_ all of the people on our mailing lists to understand that. > >> Additionally, loyal OpenBSD users may be interested in the details of >> the vulnerability disclosure. There very well maybe loyal OpenBSD >> users who wish to very politely inform ISC that there are large >> numbers of BIND users who would appreciate the same level of >> cooperation between ISC and OpenBSD as ISC affords others. > > Again, I don't see how you can _expect_ the developers to care > anything about this thing which you _expect_. If we have private > discussions with ISC, then those are our private discussions. If you > have reservations about some communications not being public or such, > then I can see that you _expect_ way too much. Watch out -- having > _expectations_ can lead to developing a shitty attidude really > quickly. When you get to that point, you can _expect_ us to not give > a shit.
