On 09/04/2014 16:17, Walter Hop wrote:
In my opinion this issue couldn't have been handled any better considering what
it takes to do the job properly, congrats to the security team from me.
-Kimmo
Please don’t frame this as criticism of the security people, that’s not fair.
Of course we all congratulate them :)
I think we’re just interested in discussing what could be improved to improve
response time and also make their lives better.
Do we need moar Jenkins? Extra build boxes? More cash to keep people on
retainer? Resources for training new people? Liaisons with other projects to
improve prior notification channels? Etc.
FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base about
an hour later, FreeBSD base took around 24 hours. Not super bad, but I think
it’s safe to expect much more scrutiny of security-critical code in the coming
years, so it looks like a good time to try to streamline if possible at all.
The public attention for this and similar events may also provide a unique
window of opportunity for soliciting extra resources from professional users
(e.g. via a Foundation campaign).
24 hours for a fix that doesn't break ABI and is relatively simple (and
proven to be fine by other distros) is horrendous for such a critical
problem. I mentioned this on twitter also, but there wasn't even a
headsup from the SO until the patch went live.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
