Date: Tue, 01 Sep 2015 14:02:23 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: "Julian H. Stacey" <jhs@berklix.com> Cc: Benjamin Kaduk <kaduk@mit.edu>, freebsd-security@freebsd.org Subject: Re: Is there a policy to delay & batch errata security alerts ? Message-ID: <86zj16cpps.fsf@nine.des.no> In-Reply-To: <201508311235.t7VCYm3c005189@fire.js.berklix.net> (Julian H. Stacey's message of "Mon, 31 Aug 2015 14:34:47 %2B0200") References: <201508311235.t7VCYm3c005189@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Julian H. Stacey" <jhs@berklix.com> writes: > But alerting pre existing issues just after new releases will reduce > security for all who can't spare enough time, so must skip the flood. We can't always hold back a release, even when there are known issues. Users are waiting for it, release engineers need to move on to other work, and the very fact that we're holding it back with no explanation and no visible activity tells people that something is up. Also, how long are we going to hold it? There is *never* a point in time where the security team does not know of or suspect at least one issue in a current or upcoming release. The line has to be drawn somewhere. In the case of 10.2, the three ENs published on 2015-08-18 were for issues that would only affect a very small minority of users, and the expat issue was not raised until the release was almost complete. The ENs and SAs published on 2015-08-25 were either unknown or still in the very early investigation phase at the time of the release. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zj16cpps.fsf>