Except OpenBSD isn't shipping broken patches.. so I'm struggling to see your point.

There's a pretty substantial difference between 3 days and 90 days (or 100). And one could argue that any amount of days after the embargo ends, is plenty opportunity for their paying customers to remain vulnerable without having provided any fixes, regardless of whether it is broken or not.

I seriously doubt that OpenBSD can ensure that their patches don’t break their users in 3 days. Additionally, if their patches do break their users, OpenBSD can, unlike Microsoft, claim that it’s working as intended, and if you don’t like it, tough shit. Microsoft doesn’t really have this as an option.

You are extremely generous in assuming Big Corp is using whole 90 days for fix and validation. In might have being sitting in a backlog for 90% of that time.

Perhaps your argument would be stronger if you could provide some examples of broken patches pushed by OpenBSD?

Indeed, that OpenBSD can succeed in 3 days, with an errata team typically between 4-6 people, what Microsoft as a company with well over a hundred thousand employees, is failing at 90 days. Doesn't explain that.

Computing division correctly is not going to break anything. What will rely on an infinite loop?

I imagine Microsoft has a much longer test cycle than openbsd.

That... Sounds like their problem. Like, I get that they have way more api surface, legacy code to support, etc... But they have a budget and manpower to match. If they can't test changes, that's their fault.

I think it's vastly easier to use budget and manpower to increase the scope of testing than it is to speed it up.

The only reason they should have a particularly long test cycle is scope.

Yeah, I wouldn't be surprised if the scope of windows testing is larger than any single application in history.

Microsoft fired their testers in 2018 [1]. Since then we've seen a surge of pretty serious bugs, some of which had to be pulled [2]. Not saying this is related, as this is a vulnerability and not a bug in an update, but 100 days to release a patch is telling.

[1] https://news.ycombinator.com/item?id=17830381

[2] https://www.theverge.com/2018/11/13/18090982/microsoft-windo...

>"The number of apps in its Windows Store had dwindled to 13 percent of the 1.1 million offered in 2014, the company said, and it needed less bug testing from Lionbridge, according to a January 2017 memo obtained via a FOIA request."

Nothing to do with Windows desktop or Server.

Microsoft also doesn't have a warranty.

Nah, they do:

https://www.microsoft.com/en-us/Useterms/Retail/Windows/10/U...

From memory they used to restrict all warranty claims to USD$5, but it appears it's been increased to USD$50 (or the sales price). I would wager it's probably because offering a maximum relief of less than 5% the cost of the product was found to be illegal somewhere.

> this is business in usual in free software world, shit breaks, WITHOUT ANY WARRANTY and all that.

I'm struggling to understand how this can be true when the vast majority of the world's internet infrastructure runs on free software.