From owner-freebsd-security@freebsd.org Thu Aug 13 21:01:33 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79B479B86EC for ; Thu, 13 Aug 2015 21:01:33 +0000 (UTC) (envelope-from mason@blisses.org) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5FD1E16D; Thu, 13 Aug 2015 21:01:33 +0000 (UTC) (envelope-from mason@blisses.org) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 2ADE11491CA; Thu, 13 Aug 2015 17:01:31 -0400 (EDT) Date: Thu, 13 Aug 2015 17:01:29 -0400 From: Mason Loring Bliss To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150813210129.GF4093@blisses.org> References: <20150813202007.GC4093@blisses.org> <20150813204023.GJ24069@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150813204023.GJ24069@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 21:01:33 -0000 On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote: > [info@ removed, not sure why that email address was included.] I'm hoping for pressure from above, as this is an important step that's evidently being taken without quarterly branch security being bumped up in priority. It seems to come as a surprise to many folks, and certainly I wasn't aware of it until last week. (Also, board@ is now deprecated.) I think the change to a default quarterly branch a fantastic idea, but without additional security updates it's got an ugly element of risk associated with it, too. It will be the default, so as it stands, more folks will be running vulnerable software. > The reason this change was made is because the quarterly package set > receives less intrusive updates, but it does still receive security > updates. I included the "pkg audit" output explicitly to demonstrate that there are some gaping holes that will be deployed starting next week. > This is documented in the 10.2-RELEASE release notes, which also shows > how to change back to the 'latest' branch, if you so desire. As noted, I'm already on the quarterly branches, because I think it's a great idea generally. Falling back to the high-churn option to get access to security patches when what you want is a stable environment is an awful idea. I'm hoping that we do this, but do it right. I can't see how anyone could find fault with my expressing this concern, honestly. -- Mason Loring Bliss (( If I have not seen as far as others, it is because mason@blisses.org )) giants were standing on my shoulders. - Hal Abelson