Proposal

[Pawel Biernacki]

On 9 April 2014 15:32, Kimmo Paasiala <kpaasial at icloud.com> wrote:
> Can you name some of those projects that claim to have such quick response
> time? I'll be steering way clear of them knowing that they don't test their
> security patches before releasing them. It's really quite shocking to see
> that such unprofessional working attitude has taken so firm hold in the open
> source world. What a pity.


RedHat managed to provide the fix within 21 hours but aparently they
knew very eraly about the issue. FreeBSD Security Team didn't? Why?
You can _see_ the whole process on their bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1084875.

On the other hand Xin Li acknowledged the issue answering to an mail
to freebsd-security@ on Monday at 21:02 UTC and then after 21 hours of
_silence_ the fix was commited. They managed to release the fix 15
hours before FreeBSD and I assume they test thing before release
because beside Fedora and Centos they also have paying customers.

Debian acknowledged the problem in the same time as FreeBSD according
to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 but they
released fix very very quickly.

Ports got the fix very quickly as well.

Maybe it'll surprise you but there are still people using FreeBSD.
What we are supposed to do when so@ is silent while scripts exploting
the issue are in the wild?
We need more transparency here.

-- 
One of God's own prototypes. A high-powered mutant of some kind never
even considered for mass production. Too weird to live, and too rare to die.