Proposal

[jungleboogie0]

Hi Walter,


On 9 April 2014 08:17, Walter Hop <freebsd at spam.lifeforms.nl> wrote:
>> In my opinion this issue couldn't have been handled any better considering what it takes to do the job properly, congrats to the security team from me.
>>
>> -Kimmo
>
> Please don’t frame this as criticism of the security people, that’s not fair. Of course we all congratulate them :)
>
> I think we’re just interested in discussing what could be improved to improve response time and also make their lives better.
>
> Do we need moar Jenkins? Extra build boxes? More cash to keep people on retainer? Resources for training new people? Liaisons with other projects to improve prior notification channels? Etc.
>
> FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base about an hour later, FreeBSD base took around 24 hours. Not super bad, but I think it’s safe to expect much more scrutiny of security-critical code in the coming years, so it looks like a good time to try to streamline if possible at all.
>

Please let us not forget that kernel.org was hacked and not detected
for 17 days: http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/


I would rather was 24 hours for a fix that's been verified and
reviewed over having to re-update the system. It looks like many linux
distros had this updated before
freeBSD but its a matter of hours we're talking about.



> The public attention for this and similar events may also provide a unique window of opportunity for soliciting extra resources from professional users (e.g. via a Foundation campaign).
>
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
>


-- 
-------
inum: 883510009902611
sip: jungleboogie at sip2sip.info
xmpp: jungle-boogie at jit.si