Date: Thu, 5 May 2016 11:07:56 -0400 (EDT) From: Benjamin Kaduk <kaduk@MIT.EDU> To: "Julian H. Stacey" <jhs@berklix.com> Cc: freebsd-security@freebsd.org Subject: Re: Batching errata & advisories in heaps degrades security. Message-ID: <alpine.GSO.1.10.1605051104570.26829@multics.mit.edu> In-Reply-To: <201605051500.u45Exqdt084086@fire.js.berklix.net> References: <201605051500.u45Exqdt084086@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 5 May 2016, Julian H. Stacey wrote: > Another bunch of Security alerts, degrades FreeBSD by being clumped together: > > I guess many recipients get tired of recent indigestable batches of > multiple FreeBSD Errata & think approx: I cannot recall whether you were participating in the discussion the last time this topic came up. Regardless, it feels like it was somewhat recent (a year or so). > _Why_ have they been artificially batching in last years ? > I could spare time to interrupt work for one priority alert, > Not for a heap batched seconds apart ! _Why_ ?! > I have no time now to action all this heap ! Maybe later ... > ( & meanwhile security @ FreeBSD could complacently think: > "We published all 4, if you don't immediately find time to > secure all 4 & someone abuses you, don't blame us !" ) > Are they batched in delusion it will help FreeBSD public relations, > to not scare people with too many days with FreeBSD alerts ? > Batching _Degrades_ security. It is bad over-management, > FreeBSD was better previously without batching, publishing each > problem when analysed, Not held back for batching. As a member of the security team for two projects (not FreeBSD's, though), I can say that it is a lot of behind-the-scenes work to put out advisories, and batching them reduces the unit cost of any given one. I further note that this recent batch that you are complaining about, contained only one security advisory and three errata notices; the contents of the errata notices have been public for quite some time, and affected parties welcome to upgrade at their leisure [manually, without freebsd-update, of course]. We can perhaps agree to disagree about whether the batching is good, but I do not see much value in rehashing the same arguments periodically. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1605051104570.26829>