From owner-freebsd-stable@FreeBSD.ORG Sat Dec 24 17:25:07 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 805D5106566B for ; Sat, 24 Dec 2011 17:25:07 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta14.emeryville.ca.mail.comcast.net (qmta14.emeryville.ca.mail.comcast.net [76.96.27.212]) by mx1.freebsd.org (Postfix) with ESMTP id 609188FC12 for ; Sat, 24 Dec 2011 17:25:07 +0000 (UTC) Received: from omta01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by qmta14.emeryville.ca.mail.comcast.net with comcast id D5Lg1i0020EPchoAE5R06c; Sat, 24 Dec 2011 17:25:00 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta01.emeryville.ca.mail.comcast.net with comcast id D55w1i00x1t3BNj8M55x54; Sat, 24 Dec 2011 17:05:57 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 085AC102C19; Sat, 24 Dec 2011 09:25:06 -0800 (PST) Date: Sat, 24 Dec 2011 09:25:06 -0800 From: Jeremy Chadwick To: Kurt Buff Message-ID: <20111224172505.GA48953@icarus.home.lan> References: <4EF4A75C.2040609@my.gd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "freebsd-stable@freebsd.org" Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 17:25:07 -0000 On Sat, Dec 24, 2011 at 08:36:15AM -0800, Kurt Buff wrote: > On Fri, Dec 23, 2011 at 08:07, Damien Fleuriot wrote: > > Hey up list, > > > > Look, just a rant here. > > > > > > Who in *HELL* thought it would be a cool idea to release no less than > > FOUR security advisories today ? > > I'm guessing the Security Officer and those with whom he consults. > Just a thought, since that's who sent the email. > > > I mean, couldn't this have waited and remained undisclosed until monday ? > > Does "active exploitation in the wild" mean anything to you? > > > I for one do *NOT* relish the idea of updating 50+ boxes this evening > > and tomorrow ! > > Sucks to be you. You knew the job was dangerous when you took it, and > if you didn't, well, then, bummer, it's what comes with the territory. > > I just spent my day yesterday downing my entire server environment in > the US to upgrade the electrical, and it was a paid holiday for the > company. > > As a sysadmin, you should know that these things happen, and learn to > deal with them. > > > Not to mention a whole lot of merchants and banks have toggled IT Freeze > > a few weeks ago, to ensure xmas shopping doesn't get disturbed by > > production changes. > > Yeah. It's hell being a professional. > > > Seriously, this is just irritating. > > Cry me a river. You should be thanking the team for getting the > releases to you as fast as possible, so you can take effective > measures ASAP. While this is generally true, the BIND issue was absolutely not addressed "as fast as possible". I guess you weren't aware that it was announced publicly literally over a month ago: https://www.isc.org/software/bind/advisories/cve-2011-4313 I'm pretty certain there was a software update (new version of BIND) announced by ISC shortly after the discovery of this issue. I say this because we updated BIND at my workplace within 48-72 hours after said issue was announced. I say all of the above as politely and sincerely as possible -- I don't want the FreeBSD Security Team to feel like I'm slamming them for taking so long, as I'm quite aware there is sometimes red tape and unexpected complexities that take precedent. My point is that you're effectively telling Damien that he should be thankful for the quick resolution times, and that really isn't the case with regards to the BIND issue. As for the rest of your comments: I both agree and disagree with their sentiments. I would have summed it up as: "responsibility's a bitch". Try to remember: Damien admitted point blank, up front, that his Email was a rant. You know what they say about opinions, right? ;-) All in all, I do hope everyone here has a good holiday season, regardless if that's updating 50+ servers on Christmas Eve or at home with family. Try to take something positive out of either experience. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |