From owner-freebsd-security@freebsd.org Thu May 5 17:01:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67752B2EC79 for ; Thu, 5 May 2016 17:01:27 +0000 (UTC) (envelope-from eric@vangyzen.net) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146]) by mx1.freebsd.org (Postfix) with ESMTP id 4F5C213CC for ; Thu, 5 May 2016 17:01:23 +0000 (UTC) (envelope-from eric@vangyzen.net) Received: from sweettea.beer.town (unknown [76.164.8.130]) by smtp.vangyzen.net (Postfix) with ESMTPSA id 1635456ACE; Thu, 5 May 2016 12:01:23 -0500 (CDT) Subject: Re: Batching errata & advisories in heaps degrades security. References: <572B7ADB.6090500@FreeBSD.org> To: freebsd-security@FreeBSD.ORG, "Julian H. Stacey" From: Eric van Gyzen X-Forwarded-Message-Id: <572B7ADB.6090500@FreeBSD.org> Message-ID: <572B7C62.7050507@vangyzen.net> Date: Thu, 5 May 2016 12:01:22 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: <572B7ADB.6090500@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 17:01:27 -0000 Julian suggested that I share our private conversation: Eric wrote: > Regardless of my opinion on the topic, three of these are errata with no > security implications, so the argument doesn't really apply in this context. Julian wrote: > Thanks Eric, fair point. So some of my argument doesnt apply, > better for FreeBSD than I thought. :-) Still batching is bad, > just not as bad as I thought, but still 3 errata swamp the security post. On 05/05/2016 09:59, Julian H. Stacey wrote: > Another bunch of Security alerts, degrades FreeBSD by being clumped together: > > Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:17.openssl > Date: Wed, 4 May 2016 22:55:46 +0000 (UTC) > > Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:06.libc > Date: Wed, 4 May 2016 22:56:31 +0000 (UTC) > > Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:08.zfs > Date: Wed, 4 May 2016 22:56:40 +0000 (UTC) > > Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:07.ipi > Date: Wed, 4 May 2016 22:56:35 +0000 (UTC) > > I guess many recipients get tired of recent indigestable batches of > multiple FreeBSD Errata & think approx: > > _Why_ have they been artificially batching in last years ? > I could spare time to interrupt work for one priority alert, > Not for a heap batched seconds apart ! _Why_ ?! > I have no time now to action all this heap ! Maybe later ... > ( & meanwhile security @ FreeBSD could complacently think: > "We published all 4, if you don't immediately find time to > secure all 4 & someone abuses you, don't blame us !" ) > Are they batched in delusion it will help FreeBSD public relations, > to not scare people with too many days with FreeBSD alerts ? > Batching _Degrades_ security. It is bad over-management, > FreeBSD was better previously without batching, publishing each > problem when analysed, Not held back for batching. > > Cheers, > Julian