From owner-freebsd-doc@freebsd.org Thu Mar 10 21:03:05 2016 Return-Path: Delivered-To: freebsd-doc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC45AACAC6A for ; Thu, 10 Mar 2016 21:03:05 +0000 (UTC) (envelope-from freebsd-lists@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id CB101DBB for ; Thu, 10 Mar 2016 21:03:05 +0000 (UTC) (envelope-from freebsd-lists@be-well.ilk.org) Received: from lowell-desk.lan (router.lan [172.30.250.2]) by be-well.ilk.org (Postfix) with ESMTP id 53C7833C22 for ; Thu, 10 Mar 2016 15:57:17 -0500 (EST) Received: by lowell-desk.lan (Postfix, from userid 1147) id E8B793981A; Thu, 10 Mar 2016 15:57:15 -0500 (EST) From: Lowell Gilbert To: freebsd-doc@freebsd.org Subject: Re: [from freebsd-hackers] Re: Missing sec advisories References: <20160308174151.00002aa5@gmail.com> <44oaao7dpi.fsf@lowell-desk.lan> <20160310172537.000035ce@gmail.com> Date: Thu, 10 Mar 2016 15:57:15 -0500 In-Reply-To: <20160310172537.000035ce@gmail.com> (rank1seeker@gmail.com's message of "Thu, 10 Mar 2016 17:25:37 +0100") Message-ID: <44egbihx04.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 21:03:06 -0000 writes: > Thanks for reply. > > On Tue, 08 Mar 2016 18:27:21 -0500 > Lowell Gilbert wrote: > >> writes: >> >> > 10-REL, for 20160303 p13 FreeBSD-SA-16:12.openssl, why is there no >> > https://www.freebsd.org/security/advisories/FreeBSD-SA-16:12.openssl.asc >> >> Latest word on the security mailing list (which is the appropriate >> place to discuss these things) is that the fix is not yet complete. > > But it HAS been commited in release tree, as p13 > Why did they commited it at all then, if it isn't yet complete? I don't have any inside information, but I would assume that they were reasonably sure that what was committed was an improvement, even if they weren't positive that the problem was completely solved by that commit. We should also note that the security advisory has now been issued. >> > And even when there is one for a patch, it becomes available >> > sometimes even after half of day, after patch has been released. >> >> There's no point in publishing a security advisory until after the fix >> has been successfully built and propagated out to the mirrors. People >> get confused if they're told a fix is available but freebsd-update >> doesn't give it to them. > > So it isn't posibble to publish a security advisory JUST after patch > has been commited, because it must be waited for it to be propagated > out to the mirrors? Of course it's *possible*. It's a bad idea (it would result in lots of users thinking incorrectly that they had applied the fix), but it would be possible.