Hacker News new | comments | show | ask | jobs | submit login
Inflamation by Bryan Cantrill (marc.info)
73 points by cnst 3 months ago | hide | past | web | favorite | 15 comments

Ordinarily, I'd flag this stuff as just more drama. And I'm no fan of Theo de Raadt's. But from every account I've heard: OpenBSD was not included on the embargo for this bug. If Cantrill is accusing de Raadt of breaking that embargo, he owes a serious apology. This is not a minor thing: it is already perceived as problematic how some OS projects get included on these embargoes and others don't.

Guessing at a bug you weren't informed about, even if (in fact, especially if) the guess is informed by the actions of people who are included in the embargo, isn't doing anything wrong. The only people to blame are the people who tried and failed to protect a secret bug for just a subset of OS's.

Also: these embargoes are stupid, and everybody involved knows just how stupid they are. Rumors spread amongst the cool kids days or sometimes even weeks before anything is published.

de Raadt has been one of the conspicuously few unvarnished voices wrt Meltdown et al. Also, if he is to be believed as to OpenBSD's methods, something approaching actual hacking appears to have occurred. Can't help but think that might have a place at hacker news...

I'm not picking sides just pointing out there is absolutely no context here for the average reader.

Maybe bcantrill can chime in.

Theo is the project leader for OpenBSD.

Last I heard, Cantrill was at Joyent, and worked on IllumOS.

For at least the last few multi-platform bug embargo cycles, people have been chattering about OpenBSD's unwillingness to participate in, or possibly even honor, embargoes.

Theo recently gave a presentation (at BSDCAN, I think?) that he opened by accusing the community at large of defaming OpenBSD's behavior around embargoes, despite OpenBSD project members helping other projects with previous embargoed bugs, then carefully pointed out that OpenBSD wasn't a party to any current embargoes despite reaching out and asking Intel to participate in this current FP bug.

Then he basically "guessed", based on what he says was a very vague rumor, what the FP bug was about.

Now he says Cantrill is, on some forums, accusing Theo or OpenBSD of getting a leak about the actual FP bug, and then helping break the embargo.

I think that about covers it?

> Last I heard, Cantrill was at Joyent, and worked on IllumOS.

Joyent is also now part of Samsung[1], and I initially assumed this is why it was included in the embargo. However, I recall reading[2] that they were upset at being left out of an embargo in the past, so maybe being part of Samsung doesn't provide as much clout as one would assume (due to Samsung's size)?

[1]: https://www.joyent.com/blog/samsung-acquires-joyent

[2]: https://news.ycombinator.com/item?id=16188916

He's referring to comments I made on lobste.rs.[1]

Those comments speak for themselves; I did not accuse Theo of breaking the embargo -- and to the contrary, I was advocating that OpenBSD be included. But, as I commented on lobste.rs, that Theo has acted irresponsibly has made achieving that inclusion quite a bit more difficult.

[1] https://lobste.rs/s/zwkuza/intel_cpus_might_leak_information...

You used the word "espionage".

If the LazyFP team wanted to keep Theo quiet, they should have included OpenBSD in the first place. You can't retroactively include them once they figure it out; that's not an embargo, that's omerta.

I used the word "espionage" in a sentence that had many other words in it -- and it wasn't my intent to imply that they had obtained this information through malfeasance. To the contrary, I think it was much likely leaked by someone friendly to OpenBSD's cause (the "post-Spectre rumors" referred to in the commit[1]).

Regardless, it wasn't handled responsibly -- and to those of us who were under the embargo who did advocate for the inclusion of OpenBSD, the behavior here has made that argument much more difficult.

[1] https://marc.info/?l=openbsd-cvs&m=152818076013158&w=2

edit: See below...can probably ignore this post

In that post you linked, you wrote this:

> That discussion was ongoing when OpenBSD caught wind of this – presumably because someone who was embargoed felt that OpenBSD deserved to know

In the email by Theo linked above he wrote this:

> In some forums, Bryan Cantrill is crafting a fiction.

> He is saying the FPU problem (and other problems) were received as a leak.

> He is not being truthful, inventing a storyline, and has not asked me for the facts.

> This was discovered by guessing Intel made a mistake.

It's pretty clear that he is referring to your presumption that someone under the embargo told them as being the "crafting a fiction". Maybe you should simply follow up either with evidence supporting that presumption (if it exists) or just a clear statement it is only a presumption and that you simply just don't believe they found it independently. (To be clear, for your average person the latter claim wouldn't hold much weight, but your words are respected more than most so the presumption wouldn't necessarily be immediately ignored even if it had no backing evidence.)

edit: Sorry I just saw this post of yours lower in the thread:


> What I am saying is that however Theo obtained information – and indeed, even if that information didn’t originate with the leak but rather by “guessing” as he is now apparently claiming – how he handled it was not responsible. And I am also saying that Theo’s irresponsibility has made the job of including OpenBSD more difficult.

So I guess there's not much more for you to say. You've said you don't believe him, but you've also indicated you don't really have the evidence (other than your experience). Seems fine to me.

By what logic and should have considered himself part of the embargo in spirit if not in letter. does this place him under any obligation?

While it's hard not to rubber-neck, this isn't very interesting stuff.

Agreed. I'd prefer to focus on the vulnerability not the drama. I deeply respect both these community leaders and it pains me to see this unfolding. Wishing for the best outcome.

Disagree, in this case. OpenBSD is routinely excluded from embargoes. There's a perception that OpenBSD is hostile to them, or won't honor them. The accusation that OpenBSD purposefully subverted this most recent one has teeth. If it's a bogus accusation, it should be retracted, with an apology. It's not meaningless drama in this case.

Agreed, this probably doesn't belong on Hacker News.

Context: https://lobste.rs/s/zwkuza/intel_cpus_might_leak_information...

> That discussion was ongoing when OpenBSD caught wind of this – presumably because someone who was embargoed felt that OpenBSD deserved to know – and then fixed it in the worst possible way. (Namely, by snarkily indicating that it was to address a CPU vulnerability.) This was then compounded by Theo’s caustic presentation at BSDCan, which was honestly irresponsible: he clearly didn’t pull eager FPU out of thin air (“post-Spectre rumors”), and should have considered himself part of the embargo in spirit if not in letter.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact