On Wed, May 12, 2004 at 03:41:17PM +0200, Martin Weber wrote:
> On Wed, May 12, 2004 at 09:15:57AM -0400, Thor Lancelot Simon wrote:
> > I think there's some misunderstanding here.  We don't usually do security
> > advisories for code that's not released; we fix the bug, and note the fix
> > appropriately in the CVS revision log; if you're using -current, you're
> > really supposed to keep an eye on source-changes, and so you'd see the
> > message there.
> 
> Okay.
> 
> The miscommunication reflects badly on the NetBSD project though.
> If e-matters was told that very paragraph above, I assume there
> wouldn't be comments bugging netbsd users at the bottom of their
> advisory (Disclosure Timeline).

Certainly miscommunications are to be avoided.  But, you know, that's what
a "miscommunication" is -- one person intends _X_ to be understood, but
the other ends up actually understanding not-_X_.  We do our best to be
responsive to security issues, and we went to work on this bug, in fact,
even before we had detailed information on what, exactly, it was, and we
did fix it quite quickly; if we failed to communicate what our usual
policy on advisories and unreleased code is, that was unfortunate, but it
does not seem particularly dreadful to me.

I assume that security-officer thought that e-matters understood what our
usual policy/process was, and e-matters thought that they understood it
and that it wasn't being followed.  Perhaps the fact that we consider
unreleased code to be *very* much "at your own risk" and to require user
vigilance did not get across to an adequate degree.  That's not a good
thing, but it's understandable (to me at least); we can only try to do
better in the future.

Thor