Date: Wed, 15 May 2019 21:16:57 -0600 From: Alan Somers <asomers@freebsd.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Mel Pilgrim <list_freebsd@bluerosetech.com>, FreeBSD Stable ML <stable@freebsd.org> Subject: Re: FreeBSD flood of 8 breakage announcements in 3 mins. Message-ID: <CAOtMX2hnk2Y3ZD3r5XOgjXp_otMoi_m0uXZ0EFs6WRgGpS9qAw@mail.gmail.com> In-Reply-To: <fdb00d1a-3cf2-89ac-a03c-010c8a7501d6@quip.cz> References: <201905151425.x4FEPNqk065975@fire.js.berklix.net> <e8125e97-6308-5ad0-b850-6825069683d4@bluerosetech.com> <fdb00d1a-3cf2-89ac-a03c-010c8a7501d6@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 15, 2019 at 9:14 PM Miroslav Lachman <000.fbsd@quip.cz> wrote: > > Mel Pilgrim wrote on 2019/05/16 02:30: > > [...] > > > By batching updates, FreeBSD is making administrative decisions for > > other people's systems. Some folks don't need to worry about scheduling > > downtime and will benefit from faster update availability. Folks who > > need to worry about scheduling downtime are already going to batch > > updates and should be allowed to make those decisions for themselves. > > Batched SAs help in neither case. > > > > Example: the ntpd CVE is more than two months old, and was rapidly fixed > > in ports. I was able to switch my systems to the ports ntpd during a > > scheduled downtime window in March instead of doing it this weekend. So > > not only did I benefit from the faster update availability, I was able > > to make my own decision about my own systems and significantly reduce my > > exposure. > > > > Don't be Microsoft. Don't sit on security updates. > > +1 > > Delaying / hiding security updates cannot be good. The vulnerability > already exists. Delayed updates do favor to "bad persons", not > sysadmins. Even information about found vulnerability is more valuable > for sysadmins than silence. Some vulnerabilities can be mitigated by > configuration changes or some service replacement (eg. ntpd). But if I > don't know that there is some vulnerability I cannot do anything. > > It would also be good if base system vulnerabilities are first published > in FreeBSD vuxml. Then it can be reported to sysadmins by package > security/base-audit. +1. Reporting base + ports vulnerabilities in a common way would be great. I assume that this is already part of the pkgbase project being worked on by brd and others. > > None of these recent Sec. Advisories are listed in Vuxml yet! It's bad > example of not dog fooding there. > > I am not saying that FreeBSD SO do bad work. I really appreciate it. But > there is still something to improve. > > Kind regards > Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2hnk2Y3ZD3r5XOgjXp_otMoi_m0uXZ0EFs6WRgGpS9qAw>