Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK}

Roger Marquis marquis at
Sun Jul 7 16:20:31 UTC 2019

Peter Jeremy <peter at> wrote:
> Security Officer is a volunteer position and their time is valuable.
> requiring them to do more work to provide information

Problem is such communications are critical for end-users.

We all know the security teams are woefully over-burdened and
under-resourced but why argue for the status-quo?  Wouldn't it be better
to appoint a communications coordinator and/or actually PAY THE SECURITY
TEAMS so they can do the job without financial sacrifice.

Looking at items the FreeBSD Foundation funds which have no measurable
effect on the size of the user-base, and at the former BSD shops
converting to Linux because of security, I don't know, just seems like a
no-brainer from here.

Many years ago people recommended only updating ports which had security
advisories.  Now nobody recommends that.  Instead they recommend
updating with every patch and keeping an eye on NIST CVEs, Bugtraq and
Redhat, Debian and Ubuntu advisories.  Even following advisories via RSS
is, unfortunately, unsustainable overhead at most organizations.

A few years ago people recommended submitting vuxml entries when new
advisories came out.  Some of us did that and were surprised to find
that even remote exploit (CVE level 7+) reports could sit in the queue
for days or weeks.  Follow-ups would be met with the same "we're all
volunteers here".  Not surprisingly we (volunteer patch and vuxml
submitters) no longer do that either.

Perhaps this is tilting at windmills but wouldn't it be better to at
least try beefing-up security support and creating a sustainable
SECURITY BUDGET?  If it grew the user-base by only a few percent that
would at the very least make everyone's contribution more valuable.

Roger Marquis

More information about the freebsd-questions mailing list