From owner-freebsd-stable@freebsd.org Thu May 16 00:30:34 2019 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B741E15A733C for ; Thu, 16 May 2019 00:30:34 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 08F7C8003B for ; Thu, 16 May 2019 00:30:34 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: by mailman.ysv.freebsd.org (Postfix) id B7DAB15A733A; Thu, 16 May 2019 00:30:33 +0000 (UTC) Delivered-To: stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A57D215A7338; Thu, 16 May 2019 00:30:33 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4839780036; Thu, 16 May 2019 00:30:33 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (chombo [IPv6:2601:1c2:1402:1770:ae1f:6bff:fe6b:9e1c]) by echo.brtsvcs.net (Postfix) with ESMTPS id 9639E38D09; Wed, 15 May 2019 17:30:23 -0700 (PDT) Received: from [IPv6:2601:1c2:1402:1770:5c80:9656:5574:b3a3] (unknown [IPv6:2601:1c2:1402:1770:5c80:9656:5574:b3a3]) by chombo.houseloki.net (Postfix) with ESMTPSA id CBEB02830; Wed, 15 May 2019 17:30:22 -0700 (PDT) Subject: Re: FreeBSD flood of 8 breakage announcements in 3 mins. To: "Julian H. Stacey" , core@freebsd.org Cc: stable@freebsd.org, hackers@freebsd.org References: <201905151425.x4FEPNqk065975@fire.js.berklix.net> From: Mel Pilgrim Message-ID: Date: Wed, 15 May 2019 17:30:23 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <201905151425.x4FEPNqk065975@fire.js.berklix.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4839780036 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2019 00:30:35 -0000 On 2019-05-15 7:25, Julian H. Stacey wrote: > Hi core@, > cc hackers@ & stable@ > > PR headline : "FreeBSD flood of 8 breakage announcements in 3 mins." > > https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/date.html > > Volunteers who contribute actual fixes are very much appreciated; > But those styled as 'management' who delay announcements to batch floods > damage us. As they've previously refused to stop, it's time to sack them. > > Just send each announcement out when ready, no delays to batch them. > No sys admins can deal with 8 in 3 mins: > Especially on multiple systems & releases. Recipients start > mitigating, then more flood in, & need review which are > most urgent to interrupt to; While also avoiding sudden upgrades > to many servers & releases, to minimise disturbing server users, > bosses & customers. Admins attentive to security issues will already be tracking CVEs for the software they use and mitigating or solving the vulnerability by all means available. By batching updates, FreeBSD is making administrative decisions for other people's systems. Some folks don't need to worry about scheduling downtime and will benefit from faster update availability. Folks who need to worry about scheduling downtime are already going to batch updates and should be allowed to make those decisions for themselves. Batched SAs help in neither case. Example: the ntpd CVE is more than two months old, and was rapidly fixed in ports. I was able to switch my systems to the ports ntpd during a scheduled downtime window in March instead of doing it this weekend. So not only did I benefit from the faster update availability, I was able to make my own decision about my own systems and significantly reduce my exposure. Don't be Microsoft. Don't sit on security updates.