From owner-freebsd-security@freebsd.org Thu May 5 19:14:37 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F0CAB2EEAA for ; Thu, 5 May 2016 19:14:37 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 454C319A3 for ; Thu, 5 May 2016 19:14:36 +0000 (UTC) (envelope-from marquis@roble.com) Date: Thu, 5 May 2016 12:14:30 -0700 (PDT) From: Roger Marquis To: Steven Hartland cc: freebsd-security@freebsd.org Subject: Re: Batching errata & advisories in heaps degrades security. In-Reply-To: <3930e03c-f81b-1366-6c76-20549768cfe4@multiplay.co.uk> References: <201605051625.u45GPODc084944@fire.js.berklix.net> <3930e03c-f81b-1366-6c76-20549768cfe4@multiplay.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 19:14:37 -0000 > Totally the opposite, it means one rollout instead of X rollouts making it > simpler not harder. I don't know, isn't that the logic behind Microsoft's failed patch-Tuesdays? It's important not to confound security with usability. Any delay to a security advisory is an invitation to hackers. I don't think that's what end-users expect from FreeBSD much as the long arm of the NSA might want to make it so (primarily vis-a-vis CERT and NIST). Those sites that don't care about security are well served by batching but given the packaging of base it seems like there's no longer any significant benefit. Roger