From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 06:18:38 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB5BF16A4CE for ; Wed, 6 Apr 2005 06:18:38 +0000 (GMT) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A52843D1D for ; Wed, 6 Apr 2005 06:18:38 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEI0087VHI77B80@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Apr 2005 00:18:07 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEI00EICHI7GOK0@pd3mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 06 Apr 2005 00:18:07 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Wed, 06 Apr 2005 00:18:07 -0600 (MDT) Date: Tue, 05 Apr 2005 23:18:04 -0700 From: Colin Percival In-reply-to: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> To: jesper@www.hackunite.net Message-id: <42537F1C.5010502@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime References: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) cc: freebsd-security@freebsd.org Subject: Re: About the FreeBSD Security Advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 06:18:38 -0000 Jesper Wallin wrote: > I've noticed a delay between when the security advisories are sent and > when the cvsup servers, ftp mirrors and web mirrors are updated. Is this > delay on purpose to give the users some time to update/patch their > system(s) before it hit pages like bugtraq, etc.. or is it just a caused > by the delay between when the ftp/cvsup servers are synced? It's mostly logistics. We write the advisory and prepare patches ahead of time, but then we need to 1. Commit to the affected security branches (at least, to the ones which are still supported), 2. Update the advisory to include the correction times in the header, 3. Sign the advisory, 4. Upload the advisory + patches to ftp-master, 5. Email out the advisory. 6. Update the website to point to the advisory. As Kris noted, the ftp and cvsup mirrors then catch up according to their usual schedule. It probably took longer than usual for the ftp mirrors this time since many of them are still grabbing the 5.4-RC1 bits. Colin Percival