Well as long as somebody ended up going public without much delay. It doesn't realy matter a whole lot who does it.
The way I look at it it seems that it should off been handled in a manner similar to how you deal with security disclosures. You go to them first, in private, then you let the end users know what happenned after it's been resolved.
It's a bit different from your normal GPL violation because generally your trying to prevent people from closing off access to code. In this case your trying to prevent third party mostly anonymous people from using tainted code from the OpenBSD project.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds