1) Main OpenBSD server wasn't compromised, main FTP server ("ftp.openbsd.org") was.
2) Source code (the one in CVS) wasn't compromised, only .tar.gz packages placed on the FTP server were.
3) They did want people to know about this, that's why they released security advisory [1].
On top of that, at the time "ftp.openbsd.org" wasn't even running OpenBSD, the FTP server was part of SunSITE powered by Solaris [2].
[1] http://marc.info/?l=openbsd-misc&m=102821528812161&w...
[2] http://www.openbsd.org/cgi-bin/cvsweb/www/faq/faq8.html.diff...
1) Main OpenBSD server wasn't compromised, main FTP server ("ftp.openbsd.org") was.
2) Source code (the one in CVS) wasn't compromised, only .tar.gz packages placed on the FTP server were.
3) They did want people to know about this, that's why they released security advisory [1].
On top of that, at the time "ftp.openbsd.org" wasn't even running OpenBSD, the FTP server was part of SunSITE powered by Solaris [2].
[1] http://marc.info/?l=openbsd-misc&m=102821528812161&w...
[2] http://www.openbsd.org/cgi-bin/cvsweb/www/faq/faq8.html.diff...