From owner-freebsd-security@freebsd.org Sun Jul 7 16:20:31 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68A1215E7B35; Sun, 7 Jul 2019 16:20:31 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 682F58CA9E; Sun, 7 Jul 2019 16:20:30 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 6322552EE9; Sun, 7 Jul 2019 09:20:21 -0700 (PDT) Date: Sun, 7 Jul 2019 09:20:21 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK} In-Reply-To: Message-ID: References: <20190705060652.GA2974@server.rulingia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 682F58CA9E X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.69 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.99)[0.990,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.97)[0.967,0]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[mx4.roble.com,mx7.roble.com]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.86)[0.857,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.01)[country: US(-0.06)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jul 2019 16:20:31 -0000 Peter Jeremy wrote: > Security Officer is a volunteer position and their time is valuable. > requiring them to do more work to provide information Problem is such communications are critical for end-users. We all know the security teams are woefully over-burdened and under-resourced but why argue for the status-quo? Wouldn't it be better to appoint a communications coordinator and/or actually PAY THE SECURITY TEAMS so they can do the job without financial sacrifice. Looking at items the FreeBSD Foundation funds which have no measurable effect on the size of the user-base, and at the former BSD shops converting to Linux because of security, I don't know, just seems like a no-brainer from here. Many years ago people recommended only updating ports which had security advisories. Now nobody recommends that. Instead they recommend updating with every patch and keeping an eye on NIST CVEs, Bugtraq and Redhat, Debian and Ubuntu advisories. Even following advisories via RSS is, unfortunately, unsustainable overhead at most organizations. A few years ago people recommended submitting vuxml entries when new advisories came out. Some of us did that and were surprised to find that even remote exploit (CVE level 7+) reports could sit in the queue for days or weeks. Follow-ups would be met with the same "we're all volunteers here". Not surprisingly we (volunteer patch and vuxml submitters) no longer do that either. Perhaps this is tilting at windmills but wouldn't it be better to at least try beefing-up security support and creating a sustainable SECURITY BUDGET? If it grew the user-base by only a few percent that would at the very least make everyone's contribution more valuable. IMO, Roger Marquis