Date: Sun, 7 Jul 2019 09:20:21 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Subject: Re: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK} Message-ID: <nycvar.OFS.7.76.444.1907070740500.63794@mx.roble.com> In-Reply-To: <CAD2Ti2806NVdod%2B-efsAOrJPRi5W6sCxeC2Hd745suOj1=H4Hw@mail.gmail.com> References: <CAD2Ti2-BEx78=pKN%2B7JyxSYWhyCOLYvsOCSu2zB_vXs=BBkUew@mail.gmail.com> <20190705060652.GA2974@server.rulingia.com> <CAD2Ti2806NVdod%2B-efsAOrJPRi5W6sCxeC2Hd745suOj1=H4Hw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Jeremy <peter@rulingia.com> wrote: > Security Officer is a volunteer position and their time is valuable. > requiring them to do more work to provide information Problem is such communications are critical for end-users. We all know the security teams are woefully over-burdened and under-resourced but why argue for the status-quo? Wouldn't it be better to appoint a communications coordinator and/or actually PAY THE SECURITY TEAMS so they can do the job without financial sacrifice. Looking at items the FreeBSD Foundation funds which have no measurable effect on the size of the user-base, and at the former BSD shops converting to Linux because of security, I don't know, just seems like a no-brainer from here. Many years ago people recommended only updating ports which had security advisories. Now nobody recommends that. Instead they recommend updating with every patch and keeping an eye on NIST CVEs, Bugtraq and Redhat, Debian and Ubuntu advisories. Even following advisories via RSS is, unfortunately, unsustainable overhead at most organizations. A few years ago people recommended submitting vuxml entries when new advisories came out. Some of us did that and were surprised to find that even remote exploit (CVE level 7+) reports could sit in the queue for days or weeks. Follow-ups would be met with the same "we're all volunteers here". Not surprisingly we (volunteer patch and vuxml submitters) no longer do that either. Perhaps this is tilting at windmills but wouldn't it be better to at least try beefing-up security support and creating a sustainable SECURITY BUDGET? If it grew the user-base by only a few percent that would at the very least make everyone's contribution more valuable. IMO, Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.444.1907070740500.63794>