From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 15:44:52 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B89F9D37 for ; Wed, 9 Apr 2014 15:44:52 +0000 (UTC) Received: from mail.lhr1.as41113.net (mail.lhr1.as41113.net [91.208.177.22]) by mx1.freebsd.org (Postfix) with ESMTP id 7D73918D0 for ; Wed, 9 Apr 2014 15:44:52 +0000 (UTC) Received: from [172.21.87.41] (195.98.9.212.in-addr.arpa [212.9.98.195]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: lists@rewt.org.uk) by mail.lhr1.as41113.net (Postfix) with ESMTPSA id 3g3qPM6Hx7z7rBZ for ; Wed, 9 Apr 2014 15:37:43 +0000 (UTC) Message-ID: <53456946.9030200@rewt.org.uk> Date: Wed, 09 Apr 2014 16:37:42 +0100 From: Joe Holden User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Proposal References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> In-Reply-To: <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 15:44:52 -0000 On 09/04/2014 16:17, Walter Hop wrote: >> In my opinion this issue couldn't have been handled any better considering what it takes to do the job properly, congrats to the security team from me. >> >> -Kimmo > > Please don’t frame this as criticism of the security people, that’s not fair. Of course we all congratulate them :) > > I think we’re just interested in discussing what could be improved to improve response time and also make their lives better. > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on retainer? Resources for training new people? Liaisons with other projects to improve prior notification channels? Etc. > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base about an hour later, FreeBSD base took around 24 hours. Not super bad, but I think it’s safe to expect much more scrutiny of security-critical code in the coming years, so it looks like a good time to try to streamline if possible at all. > > The public attention for this and similar events may also provide a unique window of opportunity for soliciting extra resources from professional users (e.g. via a Foundation campaign). > 24 hours for a fix that doesn't break ABI and is relatively simple (and proven to be fine by other distros) is horrendous for such a critical problem. I mentioned this on twitter also, but there wasn't even a headsup from the SO until the patch went live.