If anyone has ever wondered why people in responsible positions are
afraid to deploy open source solutions in security roles, I think
I've finally figured out why.

It's because when the push comes to shove, those who need to care
about it just don't bother or just have no clues about what they're
meant to actually do.  Well, at least that seems to sum up how
security-officer@netbsd.org has said it works or appears to work.

Personally, I'm disgusted that a personal email from me to NetBSD's
security officers was forwarded, in total, to CERT for public disclosure
recently - http://www.kb.cert.org/vuls/id/AAMN-5ERP4W.  I wasn't asked
to prepare a public notice and nobody asked me if they could use those
comments publicly.

Then again, given they sat on that information for over a month, said
nothing to CERT until after I prodded them gives an indication of the
"care factor".

Why is it that they managed to fail so spectacularly with this but
managed to pump out a whole bunch of advisories on other stuff recently?

To say I'm annoyed with security-officer@ is an understatement, I
feel like I've been seriously let down here and so have NetBSD's
users.  If it were up to me, I'd hang them all upside down, somewhere
and slap them about a bit for a few days while they thought about it
some.

Well, then again, if all NetBSD is trying to be is another mediocre
group of people not really doing anything much or being serious about
what they do, they're steaming ahead in fine form.  A complete new set
of people for security-officer@ might not be bad.  Someone who can take
the role seriously, even?