Many of the commenters in the last thread admitted to this, which made it all the more irrational. There was even a debate about whether, in general, 'conspiracy theories' were more or less common than the public perception. As if that had any bearing on these specific allegations.
With the strange claims made in the email (outsourcing, expired NDAs, DARPA knew), I wish Theo would've thought twice before publicizing this guy's name. At least the extra eyes on IPSEC might catch something else.
Third question: "Did you find anything?" Option 1: "Yes" => panic. Option 2: "No" => "Liar!".
You have to release all the details sometime, but the longer you wait, the more people suspect they aren't getting all the details (even if they are) and the larger the drama whirlpool becomes. Did "Kaminsky found a DNS bug, details will be forthcoming" accomplish anything? No, it was a giant clusterfuck.
As a side note, I think it's weird that in a "post-wikileaks" era people are arguing that an open source project named openbsd be less transparent.
You'll have a hard time gathering a small circle of people willing to state, for the record, "We reviewed the code and the invisible bug doesn't exist." Personally, I would want no part in an audit like that.
For a concrete threat, yeah, you fix it first. But the thing about scandals is that delay only incubates a bigger scandal.
With the strange claims made in the email (outsourcing, expired NDAs, DARPA knew), I wish Theo would've thought twice before publicizing this guy's name. At least the extra eyes on IPSEC might catch something else.