From owner-freebsd-stable@FreeBSD.ORG Sat Dec 24 21:28:52 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92EC51065670 for ; Sat, 24 Dec 2011 21:28:52 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 232E38FC17 for ; Sat, 24 Dec 2011 21:28:51 +0000 (UTC) Received: by werb13 with SMTP id b13so8857251wer.13 for ; Sat, 24 Dec 2011 13:28:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=NQDfYvPcVB7gda0xmhfF8nBEPpUlxuexnyGRpDlmge0=; b=w+b2ABy3RYwHm7OdvibxUGPQ74qWNHzWUBir7hR3cl0mUSdUZQBwX4x3Jh179y+pFh q8xpcKbBgc6aKneDHiasmIxbRucm7tdDHBffI7S8y4F5kBXWdFiJf8VJ1MrVft/rehpK FNBWGgQZYvOhijBVFR0E/JtOsUocnsVVRAzaI= MIME-Version: 1.0 Received: by 10.216.131.72 with SMTP id l50mr16073813wei.28.1324762130125; Sat, 24 Dec 2011 13:28:50 -0800 (PST) Received: by 10.216.80.99 with HTTP; Sat, 24 Dec 2011 13:28:49 -0800 (PST) In-Reply-To: <20111224172505.GA48953@icarus.home.lan> References: <4EF4A75C.2040609@my.gd> <20111224172505.GA48953@icarus.home.lan> Date: Sat, 24 Dec 2011 13:28:49 -0800 Message-ID: From: Kurt Buff To: "freebsd-stable@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 21:28:52 -0000 On Sat, Dec 24, 2011 at 09:25, Jeremy Chadwick w= rote: > > While this is generally true, the BIND issue was absolutely not > addressed "as fast as possible". =C2=A0I guess you weren't aware that it = was > announced publicly literally over a month ago: > > https://www.isc.org/software/bind/advisories/cve-2011-4313 > > I'm pretty certain there was a software update (new version of BIND) > announced by ISC shortly after the discovery of this issue. =C2=A0I say t= his > because we updated BIND at my workplace within 48-72 hours after said > issue was announced. > > I say all of the above as politely and sincerely as possible -- I don't > want the FreeBSD Security Team to feel like I'm slamming them for taking > so long, as I'm quite aware there is sometimes red tape and unexpected > complexities that take precedent. =C2=A0My point is that you're effective= ly > telling Damien that he should be thankful for the quick resolution > times, and that really isn't the case with regards to the BIND issue. > > As for the rest of your comments: I both agree and disagree with their > sentiments. =C2=A0I would have summed it up as: "responsibility's a bitch= ". > Try to remember: Damien admitted point blank, up front, that his Email > was a rant. =C2=A0You know what they say about opinions, right? =C2=A0;-) > > All in all, I do hope everyone here has a good holiday season, > regardless if that's updating 50+ servers on Christmas Eve or at home > with family. =C2=A0Try to take something positive out of either experienc= e. I was aware, and followed along with, the discussion of the DNS problem on this and other lists. To me, "as fast as possible" does include overcoming the obstacles lie in wait beyond the brute coding. I also know that those who are more skilled or adventurous and otherwise more fortunate could have grabbed code and done it for themselves, but in many cases it's not possible. I'm betting the Colin, et al, were sweating over these releases, and really didn't want to do these releases quite so hard up against the holidays, but I'm glad they released them as soon as they felt it was the reasonable thing to do. I'm just afraid I don't have a lot of time for "woe is me" when the security of machines (and by extension of organizations) is at stake. Kurt