What Theo and others, including myself, have made clear is that embargoes suck, and we will complain about them as is our right, but we will attempt to honor them if that's how it going to be.
I disagree. Embargoes are good for users, as long as (a) people actually respect the embargoes (rather than leaking details, whether to Theo or on a public Linux kernel mailing list), (b) the right people are part of the embargo, and (c) the embargo is not unreasonable long (Intel in particular fails here).
The decision to not work together on lazy FPU was made before Theo got involved.
Leaving aside the question of who refused to sign an NDA, after details were leaked to Theo he made a decision to go public rather than attempting to work productively with other vendors.
What Theo and others, including myself, have made clear is that embargoes suck, and we will complain about them as is our right, but we will attempt to honor them if that's how it going to be.
You can complain all you want, but if you want other people to give you advance notice of vulnerabilities they find, you should be prepared to give people advance notice of vulnerabilities you find. As long as OpenBSD has a policy of "bugs we find get fixed immediately, without talking to other vendors" you're going to run into problems here.
We need to be honest that embargoes serve a couple different purposes. One might be to prevent the leaking of information to malicious actors, and another is to protect vendors and HW manufacturers from embarrassment. As a user I don't care about the latter. Also, as someone concerned with the state of the world I dislike secret clubs, and I fear the reliance on secret clubs provides a false sense of secretivenss. Secrets leak.
If the bug is important enough to warrant an embargo it needs to be fixed ASAP. A month is too long to run with an important vuln in running code. It's always going to be a balance, and as a user not involved in any secret security clubs I want those bugs fixed and in the public space as quickly as reasonably possible.
Who exactly wasn't willing to work with who here?
Is OpenBSD supposed to comply with secret terms that they are purposely not made aware of, nor have agreed to?
That's a pretty unfair standard don't you think?
I've witnessed conversations since then between Intel people and FreeBSD people basically consisting of FreeBSD people saying "you guys really need to include OpenBSD" and Intel people saying "yeah... can you help get us connected with the right people?" so I don't think it's fair to suggest that OpenBSD is being purposely excluded.
Is OpenBSD supposed to comply with secret terms
I think that OpenBSD should follow the norms of the security community, i.e., contacting other operating system vendors and coordinating disclosures -- regardless of how they come across a vulnerability.
You discovered the secret, but recognize that embargoes still have value even if you weren't part of it. Be the better project, show magnanimity, and don't place end users of other projects at undue risk.
> That's a pretty unfair standard don't you think?
"An eye for an eye makes the whole world blind".
