From owner-freebsd-security@FreeBSD.ORG  Mon Apr 14 12:32:34 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 08F3C1D4
 for <freebsd-security@freebsd.org>; Mon, 14 Apr 2014 12:32:34 +0000 (UTC)
Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net
 [91.109.5.35])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9844F125E
 for <freebsd-security@freebsd.org>; Mon, 14 Apr 2014 12:32:33 +0000 (UTC)
Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net
 [91.109.5.35])
 by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3ECWF2B081179;
 Mon, 14 Apr 2014 13:32:16 +0100 (BST)
 (envelope-from jamie@catnip.dyslexicfish.net)
Received: (from jamie@localhost)
 by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3ECWFQ1081178;
 Mon, 14 Apr 2014 13:32:15 +0100 (BST) (envelope-from jamie)
From: Jamie Landeg-Jones <jamie@dyslexicfish.net>
Message-Id: <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net>
Date: Mon, 14 Apr 2014 13:32:15 +0100
To: matt@chronos.org.uk, freebsd-security@freebsd.org
Subject: Re: De Raadt + FBSD + OpenSSH + hole?
References: <534B11F0.9040400@paladin.bulgarpress.com>
 <201404141207.s3EC7IvT085450@chronos.org.uk>
In-Reply-To: <201404141207.s3EC7IvT085450@chronos.org.uk>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7
 (pacha.mail.dyslexicfish.net [91.109.5.35]);
 Mon, 14 Apr 2014 13:32:16 +0100 (BST)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 12:32:34 -0000

Matt Dawson <matt@chronos.org.uk> wrote:

> My first thought when I saw this was "ego over ethics," which says more
> about Theo than FreeBSD.

Totally.

I know Theo has a reputation for being 'difficult', but in my opinion,
this outburst really calls into question his perceived motivations
regarding secure software.

As to the specific question, I don't think his ego would allow a bug
in openssh to persist, so even if it does, I'd suspect it's not too
serious (or it's non-trivial to exploit), and it's related to FreeBSD
produced 'glue'.

This is total guesswork on my part, but I'd therefore assume he was
talkining about openssh in base, rarther than openssh-portable in
ports.