Isn't that largely because the LibreSSL team refused the invite to the exclusive OpenSSL security list? At least that was the case the last time the LibreSSL devs complained about not receiving any vuln info in advance...
> Isn't that largely because the LibreSSL team refused the invite to the exclusive OpenSSL security list?
Would you have a source for that? And for their reasoning behind it? Was "last time" poodle or something else?
edit: in the sister thread[0] rlpb suggests the point of contention is that OpenSSL embargoes but Theo/OpenBSD (and thus libressl) does not take part in embargoes (and other issues including Theo being Theo), linking to http://lwn.net/Articles/601958/ as supporting evidence, which looks to cover just about all grounds.
Excuse me please, I see you are emotional about the issue but I don't think it's the good way to discuss it. Asking for the source for the claim is OK, this however...
> Excuse me please, I see you are emotional about the issue […] Asking for the source for the claim is OK, this however...
Uh what? I was just providing a relatively recent issue which IIRC libressl was also affected by as a possible candidate (turns out the issue in question is much older and not a "named vulnerability")
> the LibreSSL team refused the invite to the exclusive OpenSSL security list
As I understand it, they refused to accept embargoes (or guarantee that they wouldn't just go and scream "FIRE!" if one broke out, even before they could put it out) -- or patch ahead of other's etc.
The "responsible" vs "full" disclosure thing. There are arguments on both sides, but from the perspective of being a developer, I can understand the whish to just be able to say: "Oh, shit. Turn off your SSL services now, this and this has been seen in the wild. We're working on a fix" -- rather than let some small number of juicy targets be compromised because someone had an exploit, but hardly anyone knew about it.
At any rate, if one was happy with openssl, one can just stick to openssl. Probably a pretty bad idea, though.
Another way to phrase this is
The OpenBSD user community should accept they have suffered
because Theo declined an invitation to a private email list,
entirely unrelated to the vendor who was in control of deciding
where the notification would go.
If you read the actual email thread http://marc.info/?t=140199386400003&r=3&w=2 you'll get a different perspective than the one that comes from a game of telephone played with social media comments.
Would you have a source for that? And for their reasoning behind it? Was "last time" poodle or something else?
edit: in the sister thread[0] rlpb suggests the point of contention is that OpenSSL embargoes but Theo/OpenBSD (and thus libressl) does not take part in embargoes (and other issues including Theo being Theo), linking to http://lwn.net/Articles/601958/ as supporting evidence, which looks to cover just about all grounds.
[0] https://news.ycombinator.com/item?id=9217022