FreeBSD flood of 8 breakage announcements in 3 mins.

Gordon Tetlow gordon at tetlows.org
Wed May 15 17:53:03 UTC 2019 

Hi. Your friendly neighborhood Security Officer here. I published the 5
advisories and 3 errata yesterday.

On Wed, May 15, 2019 at 07:15:04PM +0200, Julian H. Stacey wrote:
> Thanks Will,
> You make some good points, but all depend on variant circustances.
> 
> I prefer to be informed ASAP, to make my own decisons with max info ASAP,
> Not delayed.  I want freebsd.org to Not Delay fix announcements into batches.

All but one of the fixes was already in the STABLE branches. So if you
wanted to track something that would get things as immediate as
possible, I would recommend looking at the STABLE branches, you just
won't get freebsd-update bits there.

Just to put a line in the sand here, I will always be batching
advisories when it works in my judgement. Granted, this batch was larger
than I wanted it to be; I ran out of time over the past couple of months
to get everything together (real life and all getting in the way).

There are two reasons I will batch:
1. Our users and the industry have a preference for batched updates.
2. There is a large upfront cost for getting the freebsd-update bits
   built. Meaning the time to do 1 advisory vs the time to do 8 makes it
   worthwhile to batch. No offense, but I value my time. I only have so
   much to devote to FreeBSD.

> As soon as exploits are in the wild, some will exploit,
> not announcing until binary updates are ready gives black hats more time.

Welcome to the push/pull of dealing with security. It is a risk based
decision, but I have the unenviable position of trying to make the best
risk based decision for the entire community. By definition, not
everyone will be happy with the decision.

> PS Here seems (*) an example of something in text config didnt even
> need to wait for src/ let alone bin. * Not sure, I'll try it later,
> got to dash off line.
> 
> https://lists.freebsd.org/pipermail/freebsd-announce/2019-May/001878.html
> ] IV.  Workaround
> ] Use 'restrict noquery' in the ntpd configuration to limit addresses that
> ] can send mode 6 queries.

I would note this is already the default config.

Best regards,
Gordon

More information about the freebsd-hackers mailing list