Date: Wed, 9 Apr 2014 09:28:46 -0700 From: jungleboogie0 <jungleboogie0@gmail.com> To: Walter Hop <freebsd@spam.lifeforms.nl> Cc: freebsd-security@freebsd.org, Pawel Biernacki <pawel.biernacki@gmail.com>, Kimmo Paasiala <kpaasial@icloud.com>, =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@des.no> Subject: Re: Proposal Message-ID: <CAKE2PDuR9Av2HeYzQPbE%2BP2=eB1obY=aOSRrWtrjGLWynQSXCg@mail.gmail.com> In-Reply-To: <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Walter, On 9 April 2014 08:17, Walter Hop <freebsd@spam.lifeforms.nl> wrote: >> In my opinion this issue couldn't have been handled any better consideri= ng what it takes to do the job properly, congrats to the security team from= me. >> >> -Kimmo > > Please don=E2=80=99t frame this as criticism of the security people, that= =E2=80=99s not fair. Of course we all congratulate them :) > > I think we=E2=80=99re just interested in discussing what could be improve= d to improve response time and also make their lives better. > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on r= etainer? Resources for training new people? Liaisons with other projects to= improve prior notification channels? Etc. > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base= about an hour later, FreeBSD base took around 24 hours. Not super bad, but= I think it=E2=80=99s safe to expect much more scrutiny of security-critica= l code in the coming years, so it looks like a good time to try to streamli= ne if possible at all. > Please let us not forget that kernel.org was hacked and not detected for 17 days: http://www.theregister.co.uk/2011/08/31/linux_kernel_security_= breach/ I would rather was 24 hours for a fix that's been verified and reviewed over having to re-update the system. It looks like many linux distros had this updated before freeBSD but its a matter of hours we're talking about. > The public attention for this and similar events may also provide a uniqu= e window of opportunity for soliciting extra resources from professional us= ers (e.g. via a Foundation campaign). > > -- > Walter Hop | PGP key: https://lifeforms.nl/pgp > --=20 ------- inum: 883510009902611 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKE2PDuR9Av2HeYzQPbE%2BP2=eB1obY=aOSRrWtrjGLWynQSXCg>