Date: Tue, 01 Sep 2015 19:34:29 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: Benjamin Kaduk <kaduk@mit.edu>, freebsd-security@freebsd.org Subject: Re: Is there a policy to delay & batch errata security alerts ? Message-ID: <201509011734.t81HYTx8026045@fire.js.berklix.net> In-Reply-To: Your message "Tue, 01 Sep 2015 14:02:23 %2B0200." <86zj16cpps.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: > "Julian H. Stacey" <jhs@berklix.com> writes: > > But alerting pre existing issues just after new releases will reduce > > security for all who can't spare enough time, so must skip the flood. > > We can't always hold back a release, even when there are known issues. > Users are waiting for it, release engineers need to move on to other > work, and the very fact that we're holding it back with no explanation > and no visible activity tells people that something is up. Also, how > long are we going to hold it? There is *never* a point in time where > the security team does not know of or suspect at least one issue in a > current or upcoming release. The line has to be drawn somewhere. In > the case of 10.2, the three ENs published on 2015-08-18 were for issues > that would only affect a very small minority of users, and the expat > issue was not raised until the release was almost complete. The ENs and > SAs published on 2015-08-25 were either unknown or still in the very > early investigation phase at the time of the release. Thanks DES, I wasn't suggesting delaying releases, just how to smooth down alert waves after releases. But I had forgotten inevitably some issues that people worked hard on to meet releases, will just miss, & often continue to be worked hard on, so more than usual is ready to be announced just after release. Perhaps if core@ extend their presumed per release Thank You notes to re@ & beyond "Thanks for rolling a release", & append "Please take a short break, you deserve it + it will help minimise an immediate post release notification wave". Might that help ? Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Reply after previous text, like a play - Not before, which looses context. Indent previous text with "> " Insert new lines before 80 chars. Send plain text, Not quoted-printable, Not HTML, Not ms.doc, Not base64. Subsidise contraception V. Global warming, pollution, famine, migration.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509011734.t81HYTx8026045>