From owner-freebsd-hackers@freebsd.org Wed May 15 17:53:02 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CAFDA159ABDF for ; Wed, 15 May 2019 17:53:02 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 093B497827 for ; Wed, 15 May 2019 17:53:02 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mailman.ysv.freebsd.org (Postfix) id BB5F5159ABDE; Wed, 15 May 2019 17:53:01 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97939159ABDC for ; Wed, 15 May 2019 17:53:01 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 34A9C97821 for ; Wed, 15 May 2019 17:53:01 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt1-x82d.google.com with SMTP id k24so687358qtq.7 for ; Wed, 15 May 2019 10:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=wB5skITX1hOvjOrnZPFRjv7iNmLLHeJ0DX0MqCw8S+o=; b=glevW5dJjPFk5VrYQxJM2iPgiLjjz2nLONRkGLIn1uLNd03gscqbJQCTOT7Ca80gzk MRMhLZfRi8v9wQKbvfhUbi+/8wDJpzlLv1RXmn/nZMrZirv7OsW3k8C5R/nGKcpwIvtV h0ykMdFH3icBAtE9T9/ToNChPzTmW3KP1HRdQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=wB5skITX1hOvjOrnZPFRjv7iNmLLHeJ0DX0MqCw8S+o=; b=dmXfUojMhN2ELujD0iVggwoDplipS6xNOphvTBspl63V3xPVE4pcRmldr13jkstBI9 pu7Yk4VY0DAX4wNhSzIpsOupaecsXRiyGFftA2ITIAtk903OflxAkDHqXo6gTfZhSyND E/CWl17bovrRmQkR3hETxR/YvT8bDC35BnQmEZYTFw3eupbuPoPqT8C1O19dbC6j9qoN ozoVPm/+JGHirMqb0JILg3eUpOD01FIqkNvAlKcOn2EvS1d7dymLVIXNte+Niipcu1As gylZwv0sK+QzBouubNdeV3iVoNgxQudumu33ebdd1CcnH22wwF5tTFiDenuzdGghgNYm 3RQg== X-Gm-Message-State: APjAAAUpaurBm8lA4KG2OuHamOw80b6lQhZsFww8EQPzHp/KlgVGHaTg yWUCTsgcY4tAGEi3XFM/Jn98g27bSDZJCGoVcA== X-Google-Smtp-Source: APXvYqyZ37psuRRjWllIjP9thMKolx2echVUr5TLJC9DR4dT13bp7NQAeOY2oYbtnozs97TE//ysdA== X-Received: by 2002:aed:30cf:: with SMTP id 73mr22188770qtf.356.1557942780649; Wed, 15 May 2019 10:53:00 -0700 (PDT) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id u5sm1591297qtj.95.2019.05.15.10.52.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 May 2019 10:52:59 -0700 (PDT) Date: Wed, 15 May 2019 10:52:57 -0700 From: Gordon Tetlow To: "Julian H. Stacey" Cc: Matt Garber , Will Andrews , "freebsd-hackers@freebsd.org" , FreeBSD Core Team , FreeBSD Stable ML , Alan Somers Subject: Re: FreeBSD flood of 8 breakage announcements in 3 mins. Message-ID: <20190515175257.GC33157@gmail.com> References: <6CE35CEB-C2AB-47B1-AA86-BC9C91B2B8A6@gmail.com> <201905151715.x4FHF4eC068579@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201905151715.x4FHF4eC068579@fire.js.berklix.net> User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 34A9C97821 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-Mailman-Approved-At: Wed, 15 May 2019 18:43:43 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 17:53:03 -0000 Hi. Your friendly neighborhood Security Officer here. I published the 5 advisories and 3 errata yesterday. On Wed, May 15, 2019 at 07:15:04PM +0200, Julian H. Stacey wrote: > Thanks Will, > You make some good points, but all depend on variant circustances. > > I prefer to be informed ASAP, to make my own decisons with max info ASAP, > Not delayed. I want freebsd.org to Not Delay fix announcements into batches. All but one of the fixes was already in the STABLE branches. So if you wanted to track something that would get things as immediate as possible, I would recommend looking at the STABLE branches, you just won't get freebsd-update bits there. Just to put a line in the sand here, I will always be batching advisories when it works in my judgement. Granted, this batch was larger than I wanted it to be; I ran out of time over the past couple of months to get everything together (real life and all getting in the way). There are two reasons I will batch: 1. Our users and the industry have a preference for batched updates. 2. There is a large upfront cost for getting the freebsd-update bits built. Meaning the time to do 1 advisory vs the time to do 8 makes it worthwhile to batch. No offense, but I value my time. I only have so much to devote to FreeBSD. > As soon as exploits are in the wild, some will exploit, > not announcing until binary updates are ready gives black hats more time. Welcome to the push/pull of dealing with security. It is a risk based decision, but I have the unenviable position of trying to make the best risk based decision for the entire community. By definition, not everyone will be happy with the decision. > PS Here seems (*) an example of something in text config didnt even > need to wait for src/ let alone bin. * Not sure, I'll try it later, > got to dash off line. > > https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/001878.html > ] IV. Workaround > ] Use 'restrict noquery' in the ntpd configuration to limit addresses that > ] can send mode 6 queries. I would note this is already the default config. Best regards, Gordon