From owner-freebsd-security@freebsd.org  Tue Sep  1 12:02:32 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52E1B9C842B
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue,  1 Sep 2015 12:02:32 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 1AA501F9A
 for <freebsd-security@freebsd.org>; Tue,  1 Sep 2015 12:02:31 +0000 (UTC)
 (envelope-from des@des.no)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id 63BBBC630;
 Tue,  1 Sep 2015 12:02:24 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 1C7F1C90; Tue,  1 Sep 2015 14:02:23 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: "Julian H. Stacey" <jhs@berklix.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>,  freebsd-security@freebsd.org
Subject: Re: Is there a policy to delay & batch errata security alerts ?
References: <201508311235.t7VCYm3c005189@fire.js.berklix.net>
Date: Tue, 01 Sep 2015 14:02:23 +0200
In-Reply-To: <201508311235.t7VCYm3c005189@fire.js.berklix.net> (Julian
 H. Stacey's message of "Mon, 31 Aug 2015 14:34:47 +0200")
Message-ID: <86zj16cpps.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 12:02:32 -0000

"Julian H. Stacey" <jhs@berklix.com> writes:
> But alerting pre existing issues just after new releases will reduce
> security for all who can't spare enough time, so must skip the flood.

We can't always hold back a release, even when there are known issues.
Users are waiting for it, release engineers need to move on to other
work, and the very fact that we're holding it back with no explanation
and no visible activity tells people that something is up.  Also, how
long are we going to hold it?  There is *never* a point in time where
the security team does not know of or suspect at least one issue in a
current or upcoming release.  The line has to be drawn somewhere.  In
the case of 10.2, the three ENs published on 2015-08-18 were for issues
that would only affect a very small minority of users, and the expat
issue was not raised until the release was almost complete.  The ENs and
SAs published on 2015-08-25 were either unknown or still in the very
early investigation phase at the time of the release.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no