Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 May 2019 17:30:23 -0700
From:      Mel Pilgrim <list_freebsd@bluerosetech.com>
To:        "Julian H. Stacey" <jhs@berklix.com>, core@freebsd.org
Cc:        stable@freebsd.org, hackers@freebsd.org
Subject:   Re: FreeBSD flood of 8 breakage announcements in 3 mins.
Message-ID:  <e8125e97-6308-5ad0-b850-6825069683d4@bluerosetech.com>
In-Reply-To: <201905151425.x4FEPNqk065975@fire.js.berklix.net>
References:  <201905151425.x4FEPNqk065975@fire.js.berklix.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-05-15 7:25, Julian H. Stacey wrote:
> Hi core@,
> cc hackers@ & stable@
> 
> PR headline : "FreeBSD flood of 8 breakage announcements in 3 mins."
> 
> https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/date.html
> 
> Volunteers who contribute actual fixes are very much appreciated;
> But those styled as 'management' who delay announcements to batch floods
> damage us. As they've previously refused to stop, it's time to sack them.
> 
> Just send each announcement out when ready, no delays to batch them.
> No sys admins can deal with 8 in 3 mins:
>    Especially on multiple systems & releases.  Recipients start
>    mitigating, then more flood in, & need review which are
>    most urgent to interrupt to;  While also avoiding sudden upgrades
>    to many servers & releases, to minimise disturbing server users,
>    bosses & customers.

Admins attentive to security issues will already be tracking CVEs for 
the software they use and mitigating or solving the vulnerability by all 
means available.

By batching updates, FreeBSD is making administrative decisions for 
other people's systems.  Some folks don't need to worry about scheduling 
downtime and will benefit from faster update availability.  Folks who 
need to worry about scheduling downtime are already going to batch 
updates and should be allowed to make those decisions for themselves. 
Batched SAs help in neither case.

Example: the ntpd CVE is more than two months old, and was rapidly fixed 
in ports.  I was able to switch my systems to the ports ntpd during a 
scheduled downtime window in March instead of doing it this weekend.  So 
not only did I benefit from the faster update availability, I was able 
to make my own decision about my own systems and significantly reduce my 
exposure.

Don't be Microsoft. Don't sit on security updates.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e8125e97-6308-5ad0-b850-6825069683d4>