From owner-freebsd-stable@freebsd.org Wed May 15 17:53:02 2019 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE2BF159ABE0 for ; Wed, 15 May 2019 17:53:02 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 01CF297826 for ; Wed, 15 May 2019 17:53:02 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mailman.ysv.freebsd.org (Postfix) id B745C159ABDD; Wed, 15 May 2019 17:53:01 +0000 (UTC) Delivered-To: stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 951B0159ABDB for ; Wed, 15 May 2019 17:53:01 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 34AF797822 for ; Wed, 15 May 2019 17:53:01 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt1-x833.google.com with SMTP id t1so643455qtc.12 for ; Wed, 15 May 2019 10:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=wB5skITX1hOvjOrnZPFRjv7iNmLLHeJ0DX0MqCw8S+o=; b=glevW5dJjPFk5VrYQxJM2iPgiLjjz2nLONRkGLIn1uLNd03gscqbJQCTOT7Ca80gzk MRMhLZfRi8v9wQKbvfhUbi+/8wDJpzlLv1RXmn/nZMrZirv7OsW3k8C5R/nGKcpwIvtV h0ykMdFH3icBAtE9T9/ToNChPzTmW3KP1HRdQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=wB5skITX1hOvjOrnZPFRjv7iNmLLHeJ0DX0MqCw8S+o=; b=bP3iJnk6/Z30mb6Dqb/ihxxJVG79Lg/rfmub4a0GYCyUImpwQc1MCSTQtxCC88bEZJ QS4dO1U9z/VlOaO8auIXptecrFF0NMueYE1H7O2BnspNd6BFQj2SQtUlP1WukTOV2LBo bRqv0IY9XgwiEquwPaWxRc159fDt1gaLcbaU2RhvgJ/NpD4WJt41lv4jO4YmQqVySgjL xe1Ow5fOh+iuNvopDUP8mwsVErK6N/JBwIZ5vrEJ0S4ZyPzE2utIe9sOLACAyrJu7+4R JnHGCY0jn4f8uUw8pJ3rlgQ2Ve8i472SvV8PPa+F0Jif00n1EIKxsqW2wOTiKHAG54p8 olww== X-Gm-Message-State: APjAAAUrCGuFwzd/h56gl/G9Cu9mMI6SITXtqeHvg6aOWMobphUxJfSE vuSrov5ZBpWyPclr4qu2KwvT X-Google-Smtp-Source: APXvYqyZ37psuRRjWllIjP9thMKolx2echVUr5TLJC9DR4dT13bp7NQAeOY2oYbtnozs97TE//ysdA== X-Received: by 2002:aed:30cf:: with SMTP id 73mr22188770qtf.356.1557942780649; Wed, 15 May 2019 10:53:00 -0700 (PDT) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id u5sm1591297qtj.95.2019.05.15.10.52.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 May 2019 10:52:59 -0700 (PDT) Date: Wed, 15 May 2019 10:52:57 -0700 From: Gordon Tetlow To: "Julian H. Stacey" Cc: Matt Garber , Will Andrews , "freebsd-hackers@freebsd.org" , FreeBSD Core Team , FreeBSD Stable ML , Alan Somers Subject: Re: FreeBSD flood of 8 breakage announcements in 3 mins. Message-ID: <20190515175257.GC33157@gmail.com> References: <6CE35CEB-C2AB-47B1-AA86-BC9C91B2B8A6@gmail.com> <201905151715.x4FHF4eC068579@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201905151715.x4FHF4eC068579@fire.js.berklix.net> User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 34AF797822 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 17:53:03 -0000 Hi. Your friendly neighborhood Security Officer here. I published the 5 advisories and 3 errata yesterday. On Wed, May 15, 2019 at 07:15:04PM +0200, Julian H. Stacey wrote: > Thanks Will, > You make some good points, but all depend on variant circustances. > > I prefer to be informed ASAP, to make my own decisons with max info ASAP, > Not delayed. I want freebsd.org to Not Delay fix announcements into batches. All but one of the fixes was already in the STABLE branches. So if you wanted to track something that would get things as immediate as possible, I would recommend looking at the STABLE branches, you just won't get freebsd-update bits there. Just to put a line in the sand here, I will always be batching advisories when it works in my judgement. Granted, this batch was larger than I wanted it to be; I ran out of time over the past couple of months to get everything together (real life and all getting in the way). There are two reasons I will batch: 1. Our users and the industry have a preference for batched updates. 2. There is a large upfront cost for getting the freebsd-update bits built. Meaning the time to do 1 advisory vs the time to do 8 makes it worthwhile to batch. No offense, but I value my time. I only have so much to devote to FreeBSD. > As soon as exploits are in the wild, some will exploit, > not announcing until binary updates are ready gives black hats more time. Welcome to the push/pull of dealing with security. It is a risk based decision, but I have the unenviable position of trying to make the best risk based decision for the entire community. By definition, not everyone will be happy with the decision. > PS Here seems (*) an example of something in text config didnt even > need to wait for src/ let alone bin. * Not sure, I'll try it later, > got to dash off line. > > https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/001878.html > ] IV. Workaround > ] Use 'restrict noquery' in the ntpd configuration to limit addresses that > ] can send mode 6 queries. I would note this is already the default config. Best regards, Gordon