[iamtedd]

> I just want actionable information

Which is, according to TFA, being released on 1 Nov., and according to my calendar, is in 3 days... Problem solved?

[rascul]

I'm not yet convinced there's a problem.

[iamtedd]

You're not convinced? About a security vulnerability...

From an open-source project...

That has a history of major security vulnerabilities...

Because there's no detailed information yet...

When industry best practice is to not give detailed information without a patch or workaround...

And they're giving you a heads-up for required mitigation in three days...

Rather than right now...

[rascul]

No, I'm not convinced that the vulnerability is something I need to care about, because there's no details about it. I can make that determination when I have details. I am well aware of that project's history. I see no information given that would imply this to be anything more special than a regular update for me, for which the process I have already streamlined. I understand the practice of not giving the details until there's a patch and I'm OK with that, but there's now been over 10 submissions to HN about it with over 150 combined comments and all we know is that an update is coming. I'm not buying into the hype.

[sodality2]

To provide a counter, it's the second total vuln to be labeled critical by OpenSSL - first was in 2014, and it was Heartbleed...