From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 22:46:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 559A3B3E for ; Wed, 9 Apr 2014 22:46:36 +0000 (UTC) Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 13C691D61 for ; Wed, 9 Apr 2014 22:46:36 +0000 (UTC) Received: by mail-vc0-f179.google.com with SMTP id ij19so2645628vcb.24 for ; Wed, 09 Apr 2014 15:46:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=DCnfytUnge5QgMxlxru6IIldvrNmu8g5KfZ42SpHvjM=; b=dG0ckSyTOQcqTbPt/1HsDak4QWd2/2CEN94o/eESGG0Dm10tImSRmzOSqJA+ELFctY 8PHkB6+MI8UR7vJXSLoLDL/I8c2mwza6fVyg5JTuLLKznSyatx9hfT5fqDYWU1hpDWOV namjBTcXNVx905LjbnOxzA6w/pYu5pqqP9AUaOEbvc6GQvJwU5mfOpJYxy61ZFwhc2Pu RpveiZaiP2KcVcs8tLeHmw10wZtGAl25iUy13oYtjZyfW9Z3yQc8ui9LrkpTbjZGItUe vB1HddPelaU3S3iLYoLMln+/r7cyiYwMEouN+XC9+ByY1FppS1ldZv6L14223FXyrCa4 Nzaw== MIME-Version: 1.0 X-Received: by 10.221.26.10 with SMTP id rk10mr11189670vcb.0.1397083595214; Wed, 09 Apr 2014 15:46:35 -0700 (PDT) Received: by 10.221.39.130 with HTTP; Wed, 9 Apr 2014 15:46:35 -0700 (PDT) In-Reply-To: <867g6y1kfe.fsf@nine.des.no> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> Date: Wed, 9 Apr 2014 23:46:35 +0100 Message-ID: Subject: Re: Proposal From: Pawel Biernacki To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Kimmo Paasiala , Walter Hop X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 22:46:36 -0000 On 9 April 2014 18:28, Dag-Erling Sm=C3=B8rgrav wrote: > Walter Hop writes: >> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their >> base about an hour later, FreeBSD base took around 24 hours. > > All Bryan had to do to update the port was change the version number in > the Makefile, run "make makesum" and commit. I assume that he did some > testing as well, but apart from that, he probably spent more time > writing the commit message than actually updating the port. > > Ubuntu is much the same, since they distribute OpenSSL as a package > rather than part of the base system - they don't even _have_ a base > system. > > RedHat had prior notice since one of the OpenSSL devs is on their > security team. They had an update ready to roll out before the issue > was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were > basically just waiting for the announcement, which was originally > planned for today. > > To update OpenSSL in the FreeBSD base system, Xin first had to verify > which FreeBSD releases were vulnerable and which weren't. He then had > to obtain, verify, apply and test a patch for head, stable/10 and > releng/10.0. Next, he had to upload the patch to the freebsd-update > build servers and start the builds, which take several hours. Once the > builds were done, he had to sign them and move them to the master > server, from which they propagated to the mirrors, and then sign the > release. > > Once the builds were ready to go, he moved into a phase where everything > had to happen more or less simultaneously: commit the patches, finalize > the advisory (which contains revision numbers and timestamps), sign it, > then commit the advisory and the patch to the doc tree, update the > relevant portions of the web site, wait for them to propagate (or grab a > passing member of clusteradm@ and have them push it through manually), > and finally mail out the advisory. > > Bonus points for updating vuln.xml and liaising with MITRE / CMU CERT / > NVD / what have you. > > And yes, he has a whole team, but apart from writing the advisory (which > is a lot more work than you'd think), this process is pretty much > single-threaded. The best you can hope for is to have someone relieve > you while you eat and sleep. > > And while everybody is running around yelling OMG THE INTERNET IS ON > FIRE and calling this an unprecedented event, I'm sitting here with a > strong sense of d=C3=A9ja vu, because this sort of thing actually happens > quite often. Off the top of my head, I can think of two advisories last > year - out of 14 - that were more or less rushed out in a panic. > Thank you for sharing that story. If you want to make an excuse that a build took a long time - it's really a poor one. If the build cluster is too slow then project need to acquire a new one. If there is no chance to get one from big friends of the project maybe it should be publicly announced that there is a need for new hardware and/or money for it. It's as easy as that. We - the users - are still here willing to help. Many of us had very hard time during last 48 hours. I know that when you fill responsible for something you want to do as much as you can, but you need to sleep, eat, etc.. If the whole process is to overwhelming for one person maybe it's time to think about extending the SO team or reorganising the process of preparing patched releases? If there is a need of hands, manpower or so why not ask the community to help? Since such situations had happened in the past and are still happening, something should be done about them. --=20 One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die= .