Re: Proposal

On 09/04/2014 16:17, Walter Hop wrote:
>> In my opinion this issue couldn't have been handled any better consideri=
ng what it takes to do the job properly, congrats to the security team from=
 me.
>>
>> -Kimmo
>
> Please don=92t frame this as criticism of the security people, that=92s n=
ot fair. Of course we all congratulate them :)
>
> I think we=92re just interested in discussing what could be improved to i=
mprove response time and also make their lives better.
>
> Do we need moar Jenkins? Extra build boxes? More cash to keep people on r=
etainer? Resources for training new people? Liaisons with other projects to=
 improve prior notification channels? Etc.
>
> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base=
 about an hour later, FreeBSD base took around 24 hours. Not super bad, but=
 I think it=92s safe to expect much more scrutiny of security-critical code=
 in the coming years, so it looks like a good time to try to streamline if =
possible at all.
>
> The public attention for this and similar events may also provide a uniqu=
e window of opportunity for soliciting extra resources from professional us=
ers (e.g. via a Foundation campaign).
>
24 hours for a fix that doesn't break ABI and is relatively simple (and =

proven to be fine by other distros) is horrendous for such a critical =

problem.  I mentioned this on twitter also, but there wasn't even a =

headsup from the SO until the patch went live.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"