From owner-freebsd-security@freebsd.org Mon Aug 31 12:35:14 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B9F89C693C for ; Mon, 31 Aug 2015 12:35:14 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6BFFA33 for ; Mon, 31 Aug 2015 12:35:13 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5B226955.dip0.t-ipconnect.de [91.34.105.85]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t7VCcesU070073; Mon, 31 Aug 2015 14:38:40 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t7VCZ5K8018123; Mon, 31 Aug 2015 14:35:05 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t7VCYm3c005189; Mon, 31 Aug 2015 14:35:00 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201508311235.t7VCYm3c005189@fire.js.berklix.net> To: Benjamin Kaduk cc: freebsd-security@freebsd.org Subject: Re: Is there a policy to delay & batch errata security alerts ? From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Sat, 29 Aug 2015 12:38:36 -0400." Date: Mon, 31 Aug 2015 14:34:47 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2015 12:35:14 -0000 Hi, Benjamin Kaduk wrote: > On Sat, 29 Aug 2015, Julian H. Stacey wrote: > > > Presumably there's no delays eg for PR, giving longer quiet periods before > > a release, slipping out bad news immediately after good. > > That seems highly unlikely. Hope so. Just considering what might add to floods. > > What else might be causing batch flooding of alerts ? > > It's an awful lot of work to actually put all the pieces together to > release security advisories; Sure, realised :-) > batching reduces the workload for the team. Batching for a common lib or tool, Yes. But alerting pre existing issues just after new releases will reduce security for all who can't spare enough time, so must skip the flood. > This is true no matter what project you look at, be it FreeBSD or MIT > Kerberos (where I am on the security team and can speak from personal > experience) or something else. This is why errata notices are delayed > until they can go out with a security advisory; it's explicitly a way to > reduce the workload on the security team. There were 5 Errata & 3 Advisories with Sender: owner-freebsd-announce@freebsd.org after 13 Aug 2015 announcement of 10.2-RELEASE. Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Reply after previous text, like a play - Not before, which looses context. Indent previous text with "> " Insert new lines before 80 chars. Send plain text, Not quoted-printable, Not HTML, Not ms.doc, Not base64. Subsidise contraception V. Global warming, pollution, famine, migration.