[from freebsd-hackers] Re: Missing sec advisories

[Lowell Gilbert]

<rank1seeker at gmail.com> writes:

> Thanks for reply.
>
> On Tue, 08 Mar 2016 18:27:21 -0500
> Lowell Gilbert <freebsd-lists at be-well.ilk.org> wrote:
>
>> <rank1seeker at gmail.com> writes:
>> 
>> > 10-REL, for 20160303 p13 FreeBSD-SA-16:12.openssl, why is there no
>> >     https://www.freebsd.org/security/advisories/FreeBSD-SA-16:12.openssl.asc
>> 
>> Latest word on the security mailing list (which is the appropriate
>> place to discuss these things) is that the fix is not yet complete.
>
> But it HAS been commited in release tree, as p13
> Why did they commited it at all then, if it isn't yet complete?

I don't have any inside information, but I would assume that they were
reasonably sure that what was committed was an improvement, even if they
weren't positive that the problem was completely solved by that commit.

We should also note that the security advisory has now been issued.

>> > And even when there is one for a patch, it becomes available
>> > sometimes even after half of day, after patch has been released.
>> 
>> There's no point in publishing a security advisory until after the fix
>> has been successfully built and propagated out to the mirrors. People
>> get confused if they're told a fix is available but freebsd-update
>> doesn't give it to them.
>
> So it isn't posibble to publish a security advisory JUST after patch
> has been commited, because it must be waited for it to be propagated
> out to the mirrors?

Of course it's *possible*. It's a bad idea (it would result in lots of
users thinking incorrectly that they had applied the fix), but it would
be possible.