From owner-freebsd-security@freebsd.org Tue Sep 1 17:35:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1B059C8492 for ; Tue, 1 Sep 2015 17:35:10 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 51C59DDE for ; Tue, 1 Sep 2015 17:35:09 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5B226C78.dip0.t-ipconnect.de [91.34.108.120]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t81Hccj6007353; Tue, 1 Sep 2015 19:38:39 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t81HYweh030475; Tue, 1 Sep 2015 19:34:58 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t81HYTx8026045; Tue, 1 Sep 2015 19:34:48 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201509011734.t81HYTx8026045@fire.js.berklix.net> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: Benjamin Kaduk , freebsd-security@freebsd.org Subject: Re: Is there a policy to delay & batch errata security alerts ? From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Tue, 01 Sep 2015 14:02:23 +0200." <86zj16cpps.fsf@nine.des.no> Date: Tue, 01 Sep 2015 19:34:29 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2015 17:35:10 -0000 =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: > "Julian H. Stacey" writes: > > But alerting pre existing issues just after new releases will reduce > > security for all who can't spare enough time, so must skip the flood. > > We can't always hold back a release, even when there are known issues. > Users are waiting for it, release engineers need to move on to other > work, and the very fact that we're holding it back with no explanation > and no visible activity tells people that something is up. Also, how > long are we going to hold it? There is *never* a point in time where > the security team does not know of or suspect at least one issue in a > current or upcoming release. The line has to be drawn somewhere. In > the case of 10.2, the three ENs published on 2015-08-18 were for issues > that would only affect a very small minority of users, and the expat > issue was not raised until the release was almost complete. The ENs and > SAs published on 2015-08-25 were either unknown or still in the very > early investigation phase at the time of the release. Thanks DES, I wasn't suggesting delaying releases, just how to smooth down alert waves after releases. But I had forgotten inevitably some issues that people worked hard on to meet releases, will just miss, & often continue to be worked hard on, so more than usual is ready to be announced just after release. Perhaps if core@ extend their presumed per release Thank You notes to re@ & beyond "Thanks for rolling a release", & append "Please take a short break, you deserve it + it will help minimise an immediate post release notification wave". Might that help ? Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Reply after previous text, like a play - Not before, which looses context. Indent previous text with "> " Insert new lines before 80 chars. Send plain text, Not quoted-printable, Not HTML, Not ms.doc, Not base64. Subsidise contraception V. Global warming, pollution, famine, migration.