Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 May 2019 10:52:57 -0700
From:      Gordon Tetlow <gordon@tetlows.org>
To:        "Julian H. Stacey" <jhs@berklix.com>
Cc:        Matt Garber <matt.garber@gmail.com>, Will Andrews <will@firepipe.net>, "freebsd-hackers@freebsd.org" <hackers@freebsd.org>, FreeBSD Core Team <core@freebsd.org>, FreeBSD Stable ML <stable@freebsd.org>, Alan Somers <asomers@freebsd.org>
Subject:   Re: FreeBSD flood of 8 breakage announcements in 3 mins.
Message-ID:  <20190515175257.GC33157@gmail.com>
In-Reply-To: <201905151715.x4FHF4eC068579@fire.js.berklix.net>
References:  <6CE35CEB-C2AB-47B1-AA86-BC9C91B2B8A6@gmail.com> <201905151715.x4FHF4eC068579@fire.js.berklix.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Your friendly neighborhood Security Officer here. I published the 5
advisories and 3 errata yesterday.

On Wed, May 15, 2019 at 07:15:04PM +0200, Julian H. Stacey wrote:
> Thanks Will,
> You make some good points, but all depend on variant circustances.
> 
> I prefer to be informed ASAP, to make my own decisons with max info ASAP,
> Not delayed.  I want freebsd.org to Not Delay fix announcements into batches.

All but one of the fixes was already in the STABLE branches. So if you
wanted to track something that would get things as immediate as
possible, I would recommend looking at the STABLE branches, you just
won't get freebsd-update bits there.

Just to put a line in the sand here, I will always be batching
advisories when it works in my judgement. Granted, this batch was larger
than I wanted it to be; I ran out of time over the past couple of months
to get everything together (real life and all getting in the way).

There are two reasons I will batch:
1. Our users and the industry have a preference for batched updates.
2. There is a large upfront cost for getting the freebsd-update bits
   built. Meaning the time to do 1 advisory vs the time to do 8 makes it
   worthwhile to batch. No offense, but I value my time. I only have so
   much to devote to FreeBSD.

> As soon as exploits are in the wild, some will exploit,
> not announcing until binary updates are ready gives black hats more time.

Welcome to the push/pull of dealing with security. It is a risk based
decision, but I have the unenviable position of trying to make the best
risk based decision for the entire community. By definition, not
everyone will be happy with the decision.

> PS Here seems (*) an example of something in text config didnt even
> need to wait for src/ let alone bin. * Not sure, I'll try it later,
> got to dash off line.
> 
> https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/001878.html
> ] IV.  Workaround
> ] Use 'restrict noquery' in the ntpd configuration to limit addresses that
> ] can send mode 6 queries.

I would note this is already the default config.

Best regards,
Gordon



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190515175257.GC33157>