Date: Wed, 9 Apr 2014 23:46:35 +0100 From: Pawel Biernacki <pawel.biernacki@gmail.com> To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org, Kimmo Paasiala <kpaasial@icloud.com>, Walter Hop <freebsd@spam.lifeforms.nl> Subject: Re: Proposal Message-ID: <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ@mail.gmail.com> In-Reply-To: <867g6y1kfe.fsf@nine.des.no> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9 April 2014 18:28, Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote: > Walter Hop <freebsd@spam.lifeforms.nl> writes: >> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their >> base about an hour later, FreeBSD base took around 24 hours. > > All Bryan had to do to update the port was change the version number in > the Makefile, run "make makesum" and commit. I assume that he did some > testing as well, but apart from that, he probably spent more time > writing the commit message than actually updating the port. > > Ubuntu is much the same, since they distribute OpenSSL as a package > rather than part of the base system - they don't even _have_ a base > system. > > RedHat had prior notice since one of the OpenSSL devs is on their > security team. They had an update ready to roll out before the issue > was leaked (the builds are dated 2014-04-07 11:34:45 UTC), and were > basically just waiting for the announcement, which was originally > planned for today. > > To update OpenSSL in the FreeBSD base system, Xin first had to verify > which FreeBSD releases were vulnerable and which weren't. He then had > to obtain, verify, apply and test a patch for head, stable/10 and > releng/10.0. Next, he had to upload the patch to the freebsd-update > build servers and start the builds, which take several hours. Once the > builds were done, he had to sign them and move them to the master > server, from which they propagated to the mirrors, and then sign the > release. > > Once the builds were ready to go, he moved into a phase where everything > had to happen more or less simultaneously: commit the patches, finalize > the advisory (which contains revision numbers and timestamps), sign it, > then commit the advisory and the patch to the doc tree, update the > relevant portions of the web site, wait for them to propagate (or grab a > passing member of clusteradm@ and have them push it through manually), > and finally mail out the advisory. > > Bonus points for updating vuln.xml and liaising with MITRE / CMU CERT / > NVD / what have you. > > And yes, he has a whole team, but apart from writing the advisory (which > is a lot more work than you'd think), this process is pretty much > single-threaded. The best you can hope for is to have someone relieve > you while you eat and sleep. > > And while everybody is running around yelling OMG THE INTERNET IS ON > FIRE and calling this an unprecedented event, I'm sitting here with a > strong sense of d=C3=A9ja vu, because this sort of thing actually happens > quite often. Off the top of my head, I can think of two advisories last > year - out of 14 - that were more or less rushed out in a panic. > Thank you for sharing that story. If you want to make an excuse that a build took a long time - it's really a poor one. If the build cluster is too slow then project need to acquire a new one. If there is no chance to get one from big friends of the project maybe it should be publicly announced that there is a need for new hardware and/or money for it. It's as easy as that. We - the users - are still here willing to help. Many of us had very hard time during last 48 hours. I know that when you fill responsible for something you want to do as much as you can, but you need to sleep, eat, etc.. If the whole process is to overwhelming for one person maybe it's time to think about extending the SO team or reorganising the process of preparing patched releases? If there is a need of hands, manpower or so why not ask the community to help? Since such situations had happened in the past and are still happening, something should be done about them. --=20 One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die= .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ>