From owner-freebsd-security@freebsd.org  Thu May  5 16:25:35 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0823B2EF8F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu,  5 May 2016 16:25:35 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from slim.berklix.org (slim.berklix.org [94.185.90.68])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 784891B0D
 for <freebsd-security@freebsd.org>; Thu,  5 May 2016 16:25:34 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: from mart.js.berklix.net (p5B22694B.dip0.t-ipconnect.de
 [91.34.105.75]) (authenticated bits=128)
 by slim.berklix.org (8.14.5/8.14.5) with ESMTP id u45GNwiV017796
 for <freebsd-security@freebsd.org>; Thu, 5 May 2016 18:23:58 +0200 (CEST)
 (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
 by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id u45GPahN037899
 for <freebsd-security@freebsd.org>; Thu, 5 May 2016 18:25:36 +0200 (CEST)
 (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
 by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id u45GPODc084944
 for <freebsd-security@freebsd.org>; Thu, 5 May 2016 18:25:36 +0200 (CEST)
 (envelope-from jhs@berklix.com)
Message-Id: <201605051625.u45GPODc084944@fire.js.berklix.net>
To: freebsd-security@freebsd.org
Subject: Re: Batching errata & advisories in heaps degrades security.
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Germany
User-agent: EXMH on FreeBSD http://berklix.eu/free/
X-URL: http://www.berklix.eu
In-reply-to: Your message "Thu, 05 May 2016 11:07:56 -0400."
 <alpine.GSO.1.10.1605051104570.26829@multics.mit.edu>
Date: Thu, 05 May 2016 18:25:24 +0200
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 16:25:36 -0000

Benjamin Kaduk wrote:

> As a member of the security team for two projects (not FreeBSD's, though),
> I can say that it is a lot of behind-the-scenes work to put out
> advisories,

Of course.

> and batching them reduces the unit cost of any given one.

If so, their issue, not ours.  Our concern is FreeBSD.


> the
> contents of the errata notices have been public for quite some time

URLs ? If info was complete early, delaying those announcement
degraded security of recipients. Batching also swamps recipients.

Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/
 Mail plain text,  No quoted-printable, HTML, base64, MS.doc.
 Prefix old lines '> '  Reply below old, like play script.  Break lines by 80.
 Brexit: Meeting +UK blocks votes of Brits in EU  http://www.berklix.eu/brexit/