From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 09:29:19 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A2BA8AFE for ; Thu, 10 Apr 2014 09:29:19 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 05EDA18D6 for ; Thu, 10 Apr 2014 09:29:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s3A9SrwV053012; Thu, 10 Apr 2014 19:28:55 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 10 Apr 2014 19:28:53 +1000 (EST) From: Ian Smith To: Pawel Biernacki Subject: Re: Proposal In-Reply-To: Message-ID: <20140410183123.L54500@sola.nimnet.asn.au> References: <3g3r546WVbz62Xv@devnoip.rootservice.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org, joeuser@rootservice.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 09:29:19 -0000 On Wed, 9 Apr 2014 19:00:52 +0100, Pawel Biernacki wrote: > On 9 April 2014 17:08, Joe User wrote: > > On 09.04.2014 17:29, Pawel Biernacki wrote: > >> [snip] > >> We need more transparency here. > >> > > > > Please read this and other related threads and you'll understand that > > the FreeBSD-SecTeam had no real chance to react earlier than they did. > > http://seclists.org/oss-sec/2014/q2/22 > > > > In fact, they were realy fast, thanks therefor. Personally, I'm well impressed by the speed (and care) with which this happened, in the by now very well explained course of events. Special thanks to Xin for all the single-threaded work and Dag-Erling for the explanations, though I'm sure there were other willing hands on deck. > Interesting lecture, thank you. But if FreeBSD SO wasn't on the > mentioned list it's an argument for payable position because that can > help developing more efficient social network in the future ;-). That's no argument for a paid SO at all, but seeing a few people banging on how throwing money at such problems could or should help, I'd like to offer a counter argument - off-topic as this whole aspect surely is. In a largely voluntary project such as FreeBSD, or for that matter any number of community volunteer efforts, the introduction of paid staff can - unless handled with extreme sensitivity - be a kiss of death. As soon as there's someone/s whose paid job it is to perform such roles, many of the other, voluntary members of a team such as Security are more likely to tend to sit back and expect or allow the employee to 'do his or her job'. However well-meaning, that's a natural tendency that can often dissipate the collaborative energies of enthusiastic volunteers; I've seen this occur in many once-voluntary organisations over 40 years. As far as I can determine, the Foundation already supports the SO and other senior developers in other useful ways; conference accomodation and travel, access to infrastructure, etc, and provides grants to people for specific projects, including ongoing ones like Release Engineering; this is entirely appropriate and serves to consolidate voluntary energy, not to compete with it. My 2 Yen - I know, not worth much these days - Ian