Date: Wed, 15 May 2019 10:52:57 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: "Julian H. Stacey" <jhs@berklix.com> Cc: Matt Garber <matt.garber@gmail.com>, Will Andrews <will@firepipe.net>, "freebsd-hackers@freebsd.org" <hackers@freebsd.org>, FreeBSD Core Team <core@freebsd.org>, FreeBSD Stable ML <stable@freebsd.org>, Alan Somers <asomers@freebsd.org> Subject: Re: FreeBSD flood of 8 breakage announcements in 3 mins. Message-ID: <20190515175257.GC33157@gmail.com> In-Reply-To: <201905151715.x4FHF4eC068579@fire.js.berklix.net> References: <6CE35CEB-C2AB-47B1-AA86-BC9C91B2B8A6@gmail.com> <201905151715.x4FHF4eC068579@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Your friendly neighborhood Security Officer here. I published the 5 advisories and 3 errata yesterday. On Wed, May 15, 2019 at 07:15:04PM +0200, Julian H. Stacey wrote: > Thanks Will, > You make some good points, but all depend on variant circustances. > > I prefer to be informed ASAP, to make my own decisons with max info ASAP, > Not delayed. I want freebsd.org to Not Delay fix announcements into batches. All but one of the fixes was already in the STABLE branches. So if you wanted to track something that would get things as immediate as possible, I would recommend looking at the STABLE branches, you just won't get freebsd-update bits there. Just to put a line in the sand here, I will always be batching advisories when it works in my judgement. Granted, this batch was larger than I wanted it to be; I ran out of time over the past couple of months to get everything together (real life and all getting in the way). There are two reasons I will batch: 1. Our users and the industry have a preference for batched updates. 2. There is a large upfront cost for getting the freebsd-update bits built. Meaning the time to do 1 advisory vs the time to do 8 makes it worthwhile to batch. No offense, but I value my time. I only have so much to devote to FreeBSD. > As soon as exploits are in the wild, some will exploit, > not announcing until binary updates are ready gives black hats more time. Welcome to the push/pull of dealing with security. It is a risk based decision, but I have the unenviable position of trying to make the best risk based decision for the entire community. By definition, not everyone will be happy with the decision. > PS Here seems (*) an example of something in text config didnt even > need to wait for src/ let alone bin. * Not sure, I'll try it later, > got to dash off line. > > https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/001878.html > ] IV. Workaround > ] Use 'restrict noquery' in the ntpd configuration to limit addresses that > ] can send mode 6 queries. I would note this is already the default config. Best regards, Gordon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190515175257.GC33157>