From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 15:22:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 003E5526 for ; Wed, 9 Apr 2014 15:22:57 +0000 (UTC) Received: from tau.lfms.nl (tau.lfms.nl [93.189.130.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8257B161F for ; Wed, 9 Apr 2014 15:22:57 +0000 (UTC) Received: from sim.dt.lfms.nl (dt.lfms.nl [83.84.125.148]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tau.lfms.nl (Postfix) with ESMTPS id 5FA8DFCD01; Wed, 9 Apr 2014 17:17:37 +0200 (CEST) Received: from [IPv6:2001:1af8:fe00:8414:12dd:b1ff:febe:7594] (borax.dt.lfms.nl [IPv6:2001:1af8:fe00:8414:12dd:b1ff:febe:7594]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by sim.dt.lfms.nl (Postfix) with ESMTPS id D71299C09084; Wed, 9 Apr 2014 17:17:40 +0200 (CEST) Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: Proposal From: Walter Hop In-Reply-To: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> Date: Wed, 9 Apr 2014 17:17:37 +0200 Message-Id: <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> To: Kimmo Paasiala X-Mailer: Apple Mail (2.1874) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-security@freebsd.org, =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Pawel Biernacki X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 15:22:58 -0000 > In my opinion this issue couldn't have been handled any better = considering what it takes to do the job properly, congrats to the = security team from me. >=20 > -Kimmo Please don=92t frame this as criticism of the security people, that=92s = not fair. Of course we all congratulate them :) I think we=92re just interested in discussing what could be improved to = improve response time and also make their lives better. Do we need moar Jenkins? Extra build boxes? More cash to keep people on = retainer? Resources for training new people? Liaisons with other = projects to improve prior notification channels? Etc. FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their = base about an hour later, FreeBSD base took around 24 hours. Not super = bad, but I think it=92s safe to expect much more scrutiny of = security-critical code in the coming years, so it looks like a good time = to try to streamline if possible at all. The public attention for this and similar events may also provide a = unique window of opportunity for soliciting extra resources from = professional users (e.g. via a Foundation campaign). --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp