From owner-freebsd-security@freebsd.org Sat Aug 29 16:43:51 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0B659C5598 for ; Sat, 29 Aug 2015 16:43:51 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C516D5A for ; Sat, 29 Aug 2015 16:43:51 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190f-f79716d000002ea2-c6-55e1e01257bc Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 69.B8.11938.210E1E55; Sat, 29 Aug 2015 12:38:42 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t7TGcfiA008232; Sat, 29 Aug 2015 12:38:41 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7TGcb2j014562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 29 Aug 2015 12:38:40 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t7TGcbcW016215; Sat, 29 Aug 2015 12:38:37 -0400 (EDT) Date: Sat, 29 Aug 2015 12:38:36 -0400 (EDT) From: Benjamin Kaduk To: "Julian H. Stacey" cc: freebsd-security@freebsd.org Subject: Re: Is there a policy to delay & batch errata security alerts ? In-Reply-To: <201508291629.t7TGT3nn084958@fire.js.berklix.net> Message-ID: References: <201508291629.t7TGT3nn084958@fire.js.berklix.net> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrCv04GGoQcMifoueTU/YLPasfcPu wOTx78YxNo8Zn+azBDBFcdmkpOZklqUW6dslcGVMf/qTteA/a8WKo51sDYyPWLoYOTkkBEwk FlxcwQ5hi0lcuLeerYuRi0NIYDGTxNeOyewQzkZGiS9vDrOBVAkJHGKS2PNABcJuYJS4t66q i5GDg0VAW+LddQOQMJuAisTMNxvBykUENCReHXoEZjMLKEi8f3ySCcQWFvCQuP5xESOIzSlg J3F4VQcriM0r4Chx/t1hVpCRQgK2En0fE0DCogI6Eqv3T2GBKBGUODnzCQvESC2J5dO3sUxg FJyFJDULSWoBI9MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXRO93MwSvdSU0k2M4CCV5N/B+O2g 0iFGAQ5GJR7eDb8ehAqxJpYVV+YeYpTkYFIS5d2c8DBUiC8pP6UyI7E4I76oNCe1+BCjBAez kgiv+jWgHG9KYmVValE+TEqag0VJnHfTD74QIYH0xJLU7NTUgtQimKwMB4eSBO/Te0CNgkWp 6akVaZk5JQhpJg5OkOE8QMOLQWp4iwsSc4sz0yHypxh1ORb8uL2WSYglLz8vVUqcdz1IkQBI UUZpHtwcWHJ5xSgO9JYwL/t9oCoeYGKCm/QKaAkT0BI/f7AlJYkIKakGxsLI5qNPV8/jW9OR Kno0R0DkvZzGT7bXi1z5PSqv/p+3gKlZea3O3cNnBOyXJldLH2/2vuPp63ji/Ja5z+OT2GOP Kv1VS9b/PEfwgcjU2W8O3KsQOvlZ9tcJE4u0dRl1IWa8izymvOtwnb8pZY/Um5Lyg2/FahXa NU15HeVDbdTsH15beNP+oRJLcUaioRZzUXEiABVyZg8JAwAA X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 16:43:52 -0000 On Sat, 29 Aug 2015, Julian H. Stacey wrote: > Presumably there's no delays eg for PR, giving longer quiet periods before > a release, slipping out bad news immediately after good. That seems highly unlikely. > What else might be causing batch flooding of alerts ? It's an awful lot of work to actually put all the pieces together to release security advisories; batching reduces the workload for the team. This is true no matter what project you look at, be it FreeBSD or MIT Kerberos (where I am on the security team and can speak from personal experience) or something else. This is why errata notices are delayed until they can go out with a security advisory; it's explicitly a way to reduce the workload on the security team. -Ben Kaduk