From owner-freebsd-hackers@freebsd.org Thu May 16 02:22:57 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E79C15A98E7 for ; Thu, 16 May 2019 02:22:57 +0000 (UTC) (envelope-from instructionset@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id CDFC083DD1 for ; Thu, 16 May 2019 02:22:56 +0000 (UTC) (envelope-from instructionset@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 8DDA615A98E5; Thu, 16 May 2019 02:22:56 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B35115A98E4; Thu, 16 May 2019 02:22:56 +0000 (UTC) (envelope-from instructionset@gmail.com) Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F0AB783DCF; Thu, 16 May 2019 02:22:55 +0000 (UTC) (envelope-from instructionset@gmail.com) Received: by mail-qt1-x835.google.com with SMTP id a17so2196227qth.3; Wed, 15 May 2019 19:22:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wBDoL9ETXLKGVdtsjswvUuCbh10DtPWEAWpeD+ykn3I=; b=j8G2OS84+odKhL6VrGkeQUo2HXia/Y2eEb/Kt8Uo4G/bBpBg/MpT0Kv4W8ejBE1h70 9Yo3+A3sqocioAka9Z0mma2CzV3sJ3vybcT7dzYnXMmAGbmdWQHhq8D4FeTm/Z9OVBoU n68FPU+UW/L3UQV/4vDuYj+Ba46IL+aqnl9qVsDKfzHKwgq5vlGz/tNUv7bZlODKF5dV WSlY2gbppHvEzIxwYAEh9maNyJMC87FMdWOO08xtxYPRj2ME7vxPiD8+p6vNLY7zo04W 47K0LtP4Z2TSTxtmR47C3FygLsL+e4tCJTpFP4DjvNdwHUF2QjNRG9blT7CJLRsmPVQz ZrNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wBDoL9ETXLKGVdtsjswvUuCbh10DtPWEAWpeD+ykn3I=; b=bNGBlynm0Zw524oFKyyXLLzdcFUjWDrHc2uvkCmH4dwEYeyvHlxRqJAI1waYoUsSJU EaMUgAWYuqoSsxDXeNBxxQH9TBRsN6X5VnbeRm2zgoap3Tydgn/XZKfqIc9cTMLcXXPH v3azEthTXGfTlUl1wxlYzaLFf8OGsKwRAwNahESWDExZgjdwUURZJ0cCX8GcKykeSVN5 ItpoXSoJngEUsX16iwCmg0ZDwg6p9ZJbe9KwyUXwViOQuCRG4hN5aHTDYJfQElhTB4RT UxXNu4+V0ydqOTeu6UMtJtwUwfc9WVcplEdY7OY3WMukehysz7M4RCmtNc8QgnFv5L0b zn3w== X-Gm-Message-State: APjAAAWLcwdQuMg2dA4svpwZf/RaNKDLrmNQN+rZzKNvJ/P2GWVqtC2a GUz4VsyrPFjH9Whh09FxqHi9i564QfV3BG52Sd0= X-Google-Smtp-Source: APXvYqxAvCqMMQ2XkzNyP8qBDy18kd7PRu2keHlBRMFh+FqTQXAN5zMKhIE4ZxbxSKX0YnBOV/5YqIhZ6doaOx8waAg= X-Received: by 2002:a0c:d941:: with SMTP id t1mr36664074qvj.204.1557973375152; Wed, 15 May 2019 19:22:55 -0700 (PDT) MIME-Version: 1.0 References: <201905151425.x4FEPNqk065975@fire.js.berklix.net> In-Reply-To: From: Bill Sorenson Date: Wed, 15 May 2019 21:22:45 -0500 Message-ID: Subject: Re: FreeBSD flood of 8 breakage announcements in 3 mins. To: Mel Pilgrim Cc: "Julian H. Stacey" , core@freebsd.org, stable@freebsd.org, hackers@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: F0AB783DCF X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.965,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2019 02:22:57 -0000 > Admins attentive to security issues will already be tracking CVEs for > the software they use and mitigating or solving the vulnerability by all > means available. > > By batching updates, FreeBSD is making administrative decisions for > other people's systems. Some folks don't need to worry about scheduling > downtime and will benefit from faster update availability. Folks who > need to worry about scheduling downtime are already going to batch > updates and should be allowed to make those decisions for themselves. > Batched SAs help in neither case. > > Example: the ntpd CVE is more than two months old, and was rapidly fixed > in ports. I was able to switch my systems to the ports ntpd during a > scheduled downtime window in March instead of doing it this weekend. So > not only did I benefit from the faster update availability, I was able > to make my own decision about my own systems and significantly reduce my > exposure. > > Don't be Microsoft. Don't sit on security updates. I'm inclined to agree with this sentiment. I can sort of understand holding a SA for a week while waiting for another SA's embargo to end but beyond that I think the patches for Security Advisories should be made available as soon as practical. SysAdmins need to be smart enough to plan updating strategies, whether they can get away with patching quarterly, monthly, weekly, immediately, etc. It depends on the systems and the circumstances. I appreciate the SO's work, but in my opinion if a patch to a CVE makes it to STABLE it should be in the patch branch within a week or so unless issues are discovered (and depending on the severity of the issue maybe it should be pushed anyway with caveats.) FreeBSD already makes a distinction between SAs and Errata unlike some other projects, I think that should factor into how they are delivered. Security Advisories should be made available quickly regardless of whether they are known the be exploited in the wild or we might as well just go the Linux route and call everything a 'bug fix' and not bother categorizing things at all.