From owner-freebsd-security@freebsd.org Thu May 5 16:38:01 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2241EB2E3D7 for ; Thu, 5 May 2016 16:38:01 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B61A91367 for ; Thu, 5 May 2016 16:38:00 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: by mail-wm0-x233.google.com with SMTP id e201so27455645wme.0 for ; Thu, 05 May 2016 09:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=multiplay-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=LgvdyDR+unos9QupIjVpREO5xd7Ce2GLVOPff2yBlwU=; b=a2pgunLEZSTIhF1uf2ZYInMaPfbvbaG4XlLS++sQr4b1C0bxXEMVFCg2U6kikEhO7N R1Kn9vNsIdFsIVNEOoa87eWW/5zS2BrAnQkM10SAh9ZDkctH+QvKzh2O8NnNIs/7Frvj Ugfx0zkK1KvkW2YOPHkQlLYPUyDZV784FYTrkg6TBbkReehQghAsuFvAb/K7QDKOHx+q 2d5GKMZ4GFiMC+CNFJ/4i5ZFVSHareZPb0bubfrK5Hy+//rJfZ9SyJxvmvjF514CIWXB T6asVgHbIm5SBRGLwAc+nO07IVtrf2UvxV9Q+gaBZ5Iu9odPBhRNl/BQjmM6WRQDAcS2 M9nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=LgvdyDR+unos9QupIjVpREO5xd7Ce2GLVOPff2yBlwU=; b=LJksvCLDdGO3iVsKK30BfXIzpsMZqPkDGWtUZbToWNR9f2k6jnYyBiFHYJO3OwXadV alGfgdcHAxE8vZuaVA89CrVw8KldE5BEq2e3Zh0xK6Ku2WoeReKya+G6T3Zdl1eRSvCj wFwTjRynckHtbkNIPvelIVtjiMr/SKA5QtrEtuJ5nDFaRvlI3QNdmHAvRKzzSL00nZov hzyHybABGmsVXIwyiAVtK5wAIr3LLH7GKYsdIXZESP+wC9gabMk44+SXKTz1JkI0VWZq 7iUQJRKvb9E6imwimIpeCq1jJK5SENUAKx+h0fx2BXLVfyGwBds0aQmR2M3oKdDR23jz c8MA== X-Gm-Message-State: AOPr4FUq3sXkczBJWl+KhbdqHtgrt097Eo1MhtssihMRL5C6kS8QE0hlVKrKlSQQ0AE5HM12 X-Received: by 10.28.232.1 with SMTP id f1mr4481646wmh.6.1462466278653; Thu, 05 May 2016 09:37:58 -0700 (PDT) Received: from [10.10.1.58] (liv3d.labs.multiplay.co.uk. [82.69.141.171]) by smtp.gmail.com with ESMTPSA id i4sm10537180wjj.49.2016.05.05.09.37.57 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 May 2016 09:37:57 -0700 (PDT) Subject: Re: Batching errata & advisories in heaps degrades security. To: freebsd-security@freebsd.org References: <201605051625.u45GPODc084944@fire.js.berklix.net> From: Steven Hartland Message-ID: <3930e03c-f81b-1366-6c76-20549768cfe4@multiplay.co.uk> Date: Thu, 5 May 2016 17:37:56 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <201605051625.u45GPODc084944@fire.js.berklix.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 16:38:01 -0000 On 05/05/2016 17:25, Julian H. Stacey wrote: > Benjamin Kaduk wrote: > >> As a member of the security team for two projects (not FreeBSD's, though), >> I can say that it is a lot of behind-the-scenes work to put out >> advisories, > Of course. > >> and batching them reduces the unit cost of any given one. > If so, their issue, not ours. Our concern is FreeBSD. > > >> the >> contents of the errata notices have been public for quite some time > URLs ? If info was complete early, delaying those announcement > degraded security of recipients. Batching also swamps recipients. > Totally the opposite, it means one rollout instead of X rollouts making it simpler not harder.