Date: Wed, 9 Apr 2014 16:29:13 +0100 From: Pawel Biernacki <pawel.biernacki@gmail.com> To: freebsd-security@freebsd.org Subject: Re: Proposal Message-ID: <CAA3htvve4NNvmN0QOf6v4RwbT8PmGrSCFzNCbivfaEMN7J26Ow@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
On 9 April 2014 15:32, Kimmo Paasiala <kpaasial@icloud.com> wrote: > Can you name some of those projects that claim to have such quick response > time? I'll be steering way clear of them knowing that they don't test their > security patches before releasing them. It's really quite shocking to see > that such unprofessional working attitude has taken so firm hold in the open > source world. What a pity. RedHat managed to provide the fix within 21 hours but aparently they knew very eraly about the issue. FreeBSD Security Team didn't? Why? You can _see_ the whole process on their bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1084875. On the other hand Xin Li acknowledged the issue answering to an mail to freebsd-security@ on Monday at 21:02 UTC and then after 21 hours of _silence_ the fix was commited. They managed to release the fix 15 hours before FreeBSD and I assume they test thing before release because beside Fedora and Centos they also have paying customers. Debian acknowledged the problem in the same time as FreeBSD according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 but they released fix very very quickly. Ports got the fix very quickly as well. Maybe it'll surprise you but there are still people using FreeBSD. What we are supposed to do when so@ is silent while scripts exploting the issue are in the wild? We need more transparency here. -- One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA3htvve4NNvmN0QOf6v4RwbT8PmGrSCFzNCbivfaEMN7J26Ow>