"Speculating about Intel" by Theo de Raadt. A lunchtime BoF at #BSDCan
Yes, it will be livestreamed.
"Speculating about #Intel" by Theo de Raadt of #OpenBSD will be livestreamed at https://bsdnow.tv/bsdcan_dms1140 Starts in around 2 hours, at 12:30 Canada/Eastern.
Or come to room DMS1140 if you are at #BSDCan.
To be very clear: OpenBSD has not agreed to an embargo or NDA.
@phessler When I learn so much FreeBSD the next OS I am going to install is OpenBSD!
The FreeBSD Foundation has signed an NDA on the behalf of several (I believe they said 4) developers.
The FreeBSD project has not signed them.
Theo asked FreeBSD to commit the fixes for the FPU state leak issue we have already publicly fixed (https://marc.info/?l=openbsd-cvs&m=152818076013158&w=2).
Shouting happened.
@phessler I'd be interested in forming some sort of BSD working group for collaborating on various microarchitectural security vulnerability issues and fixes.
I discussed this statement with a Director of the FreeBSD Foundation, and they said this was basically correct.
@phessler The fact that we honored the #KRACK embargo by keeping silent about the actual impact of the bug beyond #OpenBSD is part of the reason why #FreeBSD acted all surprised on the October 16 2017 disclosure date and patched their users one day too late:
https://lists.freebsd.org/pipermail/freebsd-announce/2017-October/001805.html
https://lists.freebsd.org/pipermail/freebsd-announce/2017-October/001806.html
So my guess is that nobody told them during the entire embargo window of July to October 2017.
Is there a better explanation?
In my opinion, they should have been told.
#OpenBSD has *never* intentionally violated an Embargo.
There were two incidents with OpenSSL, where they said "wait for the commits", we saw N-1/N commits, and committed all of them. Unintentional mistake.
Other was Krack Attacks, where we had written permission to commit.