Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 May 2019 21:22:45 -0500
From:      Bill Sorenson <instructionset@gmail.com>
To:        Mel Pilgrim <list_freebsd@bluerosetech.com>
Cc:        "Julian H. Stacey" <jhs@berklix.com>, core@freebsd.org, stable@freebsd.org, hackers@freebsd.org
Subject:   Re: FreeBSD flood of 8 breakage announcements in 3 mins.
Message-ID:  <CACcTwYkr55Vxx-jk7uyhppT0LBxfKYDEzTxmhJLL-Se7EJVAew@mail.gmail.com>
In-Reply-To: <e8125e97-6308-5ad0-b850-6825069683d4@bluerosetech.com>
References:  <201905151425.x4FEPNqk065975@fire.js.berklix.net> <e8125e97-6308-5ad0-b850-6825069683d4@bluerosetech.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> Admins attentive to security issues will already be tracking CVEs for
> the software they use and mitigating or solving the vulnerability by all
> means available.
>
> By batching updates, FreeBSD is making administrative decisions for
> other people's systems.  Some folks don't need to worry about scheduling
> downtime and will benefit from faster update availability.  Folks who
> need to worry about scheduling downtime are already going to batch
> updates and should be allowed to make those decisions for themselves.
> Batched SAs help in neither case.
>
> Example: the ntpd CVE is more than two months old, and was rapidly fixed
> in ports.  I was able to switch my systems to the ports ntpd during a
> scheduled downtime window in March instead of doing it this weekend.  So
> not only did I benefit from the faster update availability, I was able
> to make my own decision about my own systems and significantly reduce my
> exposure.
>
> Don't be Microsoft. Don't sit on security updates.

I'm inclined to agree with this sentiment. I can sort of understand holding a SA
for a week while waiting for another SA's embargo to end but beyond that I think
the patches for Security Advisories should be made available as soon as
practical. SysAdmins need to be smart enough to plan updating strategies,
whether they can get away with patching quarterly, monthly, weekly, immediately,
etc. It depends on the systems and the circumstances. I appreciate the SO's
work, but in my opinion if a patch to a CVE makes it to STABLE it should be in
the patch branch within a week or so unless issues are discovered (and depending
on the severity of the issue maybe it should be pushed anyway with caveats.)

FreeBSD already makes a distinction between SAs and Errata unlike some other
projects, I think that should factor into how they are delivered.
Security Advisories should be made available quickly regardless of whether they
are known the be exploited in the wild or we might as well just go the Linux
route and call everything a 'bug fix' and not bother categorizing things at all.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACcTwYkr55Vxx-jk7uyhppT0LBxfKYDEzTxmhJLL-Se7EJVAew>