Theo de Raadt | 17 Dec 19:23 2010

Re: Allegations regarding OpenBSD IPSEC

> On Fri, Dec 17, 2010 at 7:59 AM, Theo de Raadt <deraadt <at>> wr=
> ote:
> [skipped]
> > > I have to say that Perry here is credited with one thing he actually di=
> d not
> > > do -- publish this to the world. There has been talk of alterior motive=
> s here,
> > > but for any of these motives, Perry had to know or pretty damn well gue=
> ssed
> > > that =C2=A0the second thing Theo (hi, Theo) would do to his email was t=
> o publish it.
> > > Would you plan anything based on a predicted behavior of a person you
> > > haven't communicated with in 10 years?
> > >
> > > This is not to point finger at Theo for creating all this commotion, of=
>  course;
> > > this commotion can, however, be, an unintended accident, but the fact t=
> hat
> > > it came from Theo gave it a lot of credibility.
> >
> > Whoa, wait a second here. =C2=A0If you think I gave it credibility, you
> > need to go back and read my words again. =C2=A0I called it an allegation,
> > and I stick with that. =C2=A0I was extremely careful with my words, and y=
> ou
> > are wrong to interpret them as you do.
> Look, if somebody like me posted something like this here, it would be just
> plain dismissed.

If that is the case -- that people would dismiss it automatically --
then the community is really stupid.  You are almost arguing that that
is the way it should be.

Allegation of not, code should always be checked, and re-checked, and

What I am seeing is that we have a ridiculously upside-down trust
model -- "Trust the developers".

We never asked for people to trust us.  We might have "earned some" in
some people's eyes, but if so it has always been false, even before
this.  People should trust what they test, but the world has become
incredibly lazy.

We build this stuff by trusting each other as friends, and that is
done on an international level.  If anything, the layers and volume of
trust involved in software development should decrease trust. Oh
right, let's hear some of that "many eyes" crap again.  My favorite
part of the "many eyes" argument is how few bugs were found by the two
eyes of Eric (the originator of the statement).  All the many eyes are
apparently attached to a lot of hands that type lots of words about
many eyes, and never actually audit code.

If anything, the collaborative model we use should _decrease_ trust,
except, well, unless you compare it to the other model -- corporate
software -- where they don't even start from any position of trust.
There you are trusting the money, here you are trusting people I've
never met.

> If Perry posted his email here, he'd just be under fire to
> show some or any proof.

OK, so I post it, and then noone asks him for proof, now it suddenly
has more strength?  I am so bloody dissapointed in the community that
uses our stuff.

> The reason this was so widely picked up
> and generated so much flame and buzz, is because you posted it here.

How dismal.

> It's an unfortunate consequence of a right action, really. I'm not even
> remotely saying that you intended to give it weight, or that you
> should've swept it under the rug.

What a dismal world view.