Date: Wed, 09 Apr 2014 16:37:42 +0100 From: Joe Holden <lists@rewt.org.uk> To: freebsd-security@freebsd.org Subject: Re: Proposal Message-ID: <53456946.9030200@rewt.org.uk> In-Reply-To: <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/2014 16:17, Walter Hop wrote: >> In my opinion this issue couldn't have been handled any better considering what it takes to do the job properly, congrats to the security team from me. >> >> -Kimmo > > Please don’t frame this as criticism of the security people, that’s not fair. Of course we all congratulate them :) > > I think we’re just interested in discussing what could be improved to improve response time and also make their lives better. > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on retainer? Resources for training new people? Liaisons with other projects to improve prior notification channels? Etc. > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base about an hour later, FreeBSD base took around 24 hours. Not super bad, but I think it’s safe to expect much more scrutiny of security-critical code in the coming years, so it looks like a good time to try to streamline if possible at all. > > The public attention for this and similar events may also provide a unique window of opportunity for soliciting extra resources from professional users (e.g. via a Foundation campaign). > 24 hours for a fix that doesn't break ABI and is relatively simple (and proven to be fine by other distros) is horrendous for such a critical problem. I mentioned this on twitter also, but there wasn't even a headsup from the SO until the patch went live.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53456946.9030200>