Batching errata & advisories in heaps degrades security.

Eric van Gyzen eric at vangyzen.net
Thu May 5 17:01:27 UTC 2016 

Julian suggested that I share our private conversation:

Eric wrote:
> Regardless of my opinion on the topic, three of these are errata with no
> security implications, so the argument doesn't really apply in this context.

Julian wrote:

> Thanks Eric, fair point.  So some of my argument doesnt apply,
> better for FreeBSD than I thought. :-)  Still batching is bad,
> just not as bad as I thought, but still 3 errata swamp the security post.


On 05/05/2016 09:59, Julian H. Stacey wrote:
> Another bunch of Security alerts, degrades FreeBSD by being clumped together:
>
>   Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:17.openssl
>   Date: Wed,  4 May 2016 22:55:46 +0000 (UTC)
>   
>   Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:06.libc
>   Date: Wed,  4 May 2016 22:56:31 +0000 (UTC)
>   
>   Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:08.zfs
>   Date: Wed,  4 May 2016 22:56:40 +0000 (UTC)
>   
>   Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:07.ipi
>   Date: Wed,  4 May 2016 22:56:35 +0000 (UTC)
>
> I guess many recipients get tired of recent indigestable batches of 
> multiple FreeBSD Errata & think approx:
>
>   _Why_ have they been artificially batching in last years ?
>   I could spare time to interrupt work for one priority alert,
>   Not for a heap batched seconds apart ! _Why_ ?!
>   I have no time now to action all this heap ! Maybe later ...
>     ( & meanwhile security @ FreeBSD could complacently think:
>     "We published all 4, if you don't immediately find time to 
>      secure all 4 & someone abuses you, don't blame us !" )
>   Are they batched in delusion it will help FreeBSD public relations,
>   to not scare people with too many days with FreeBSD alerts ?
>   Batching _Degrades_ security.  It is bad over-management,
>   FreeBSD was better previously without batching, publishing each
>   problem when analysed, Not held back for batching.
>
> Cheers,
> Julian

More information about the freebsd-security mailing list