From owner-freebsd-security@freebsd.org  Wed Sep  2 07:29:42 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D9979C889F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed,  2 Sep 2015 07:29:42 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 55D56BD1
 for <freebsd-security@freebsd.org>; Wed,  2 Sep 2015 07:29:41 +0000 (UTC)
 (envelope-from des@des.no)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id F1368C664;
 Wed,  2 Sep 2015 07:29:38 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id AFCC0D54; Wed,  2 Sep 2015 09:29:38 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: "Julian H. Stacey" <jhs@berklix.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>,  freebsd-security@freebsd.org
Subject: Re: Is there a policy to delay & batch errata security alerts ?
References: <201509011734.t81HYTx8026045@fire.js.berklix.net>
Date: Wed, 02 Sep 2015 09:29:38 +0200
In-Reply-To: <201509011734.t81HYTx8026045@fire.js.berklix.net> (Julian
 H. Stacey's message of "Tue, 01 Sep 2015 19:34:29 +0200")
Message-ID: <86vbbtcm8t.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 07:29:42 -0000

"Julian H. Stacey" <jhs@berklix.com> writes:
> I wasn't suggesting delaying releases, just how to smooth down alert
> waves after releases.

So you're suggesting holding back advisories?

> But I had forgotten inevitably some issues that people worked hard on
> to meet releases, will just miss, & often continue to be worked hard
> on, so more than usual is ready to be announced just after release.

Not more than usual.  There just happened to be a cluster immediately
after 10.2.  There was no such cluster after 10.1; three advisories were
published four weeks after the release and a fourth a week after that.

Besides, even if there were such a wave after each release, would it
really matter?  Most organizational users need weeks if not months to
test a new version and plan its deployment, so that hypothetical wave
would not affect them any more than any other batch of advisories.

> Perhaps if core@ extend their presumed per release Thank You notes
> to re@ & beyond "Thanks for rolling a release", & append "Please
> take a short break, you deserve it + it will help minimise an
> immediate post release notification wave".  Might that help ?

You want the security team to take a vacation after each release so we
can maintain the illusion, at least for a couple of weeks, that there
are no bugs or vulnerabilities in FreeBSD?

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no