From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 15:29:16 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 868E78D0 for ; Wed, 9 Apr 2014 15:29:16 +0000 (UTC) Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 13D4416B0 for ; Wed, 9 Apr 2014 15:29:15 +0000 (UTC) Received: by mail-la0-f52.google.com with SMTP id ec20so1251345lab.25 for ; Wed, 09 Apr 2014 08:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wYPykbNsq/pQeG1V0cYrp8fBGFbE7RZvUsAyhfF5hsI=; b=Z2yLKBeQEWBgkpgAsdY1Iikla4rtj0LUSqjaORj0thhvTLyPmirurF/gbOTwN3XOhJ ZaVwpWfUm9c0zZd+nDveYFuiXrq26OUbr760ifoz789rTp+hAHTpc1SMOTQF3STNSXt0 NI9bz9VMuucYqrMOMcQTqw8tTSmnC+W/9dkhM6occU0PF5csrVF0LmLY+mKkt/w/qX48 VBF2VP0S5NhAPCJn/AjbW7xlVdEVFV4R9f5Uc4Y3t7reHL1udcnQz245BBKETR6XN7rE V7xIeybp3XhIslpmedtwBeogBJs6e9PZ/0in9+4iEr/cLWla6uGYL1dZ69cxSeM0ctbe PgiQ== MIME-Version: 1.0 X-Received: by 10.112.134.230 with SMTP id pn6mr7510691lbb.37.1397057353858; Wed, 09 Apr 2014 08:29:13 -0700 (PDT) Received: by 10.112.77.102 with HTTP; Wed, 9 Apr 2014 08:29:13 -0700 (PDT) Date: Wed, 9 Apr 2014 16:29:13 +0100 Message-ID: Subject: Re: Proposal From: Pawel Biernacki To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 15:29:16 -0000 On 9 April 2014 15:32, Kimmo Paasiala wrote: > Can you name some of those projects that claim to have such quick response > time? I'll be steering way clear of them knowing that they don't test their > security patches before releasing them. It's really quite shocking to see > that such unprofessional working attitude has taken so firm hold in the open > source world. What a pity. RedHat managed to provide the fix within 21 hours but aparently they knew very eraly about the issue. FreeBSD Security Team didn't? Why? You can _see_ the whole process on their bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1084875. On the other hand Xin Li acknowledged the issue answering to an mail to freebsd-security@ on Monday at 21:02 UTC and then after 21 hours of _silence_ the fix was commited. They managed to release the fix 15 hours before FreeBSD and I assume they test thing before release because beside Fedora and Centos they also have paying customers. Debian acknowledged the problem in the same time as FreeBSD according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 but they released fix very very quickly. Ports got the fix very quickly as well. Maybe it'll surprise you but there are still people using FreeBSD. What we are supposed to do when so@ is silent while scripts exploting the issue are in the wild? We need more transparency here. -- One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die.