Hi Walter,
On 9 April 2014 08:17, Walter Hop <free...@spam.lifeforms.nl> wrote: >> In my opinion this issue couldn't have been handled any better considering >> what it takes to do the job properly, congrats to the security team from me. >> >> -Kimmo > > Please don’t frame this as criticism of the security people, that’s not fair. > Of course we all congratulate them :) > > I think we’re just interested in discussing what could be improved to improve > response time and also make their lives better. > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on > retainer? Resources for training new people? Liaisons with other projects to > improve prior notification channels? Etc. > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base > about an hour later, FreeBSD base took around 24 hours. Not super bad, but I > think it’s safe to expect much more scrutiny of security-critical code in the > coming years, so it looks like a good time to try to streamline if possible > at all. > Please let us not forget that kernel.org was hacked and not detected for 17 days: http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ I would rather was 24 hours for a fix that's been verified and reviewed over having to re-update the system. It looks like many linux distros had this updated before freeBSD but its a matter of hours we're talking about. > The public attention for this and similar events may also provide a unique > window of opportunity for soliciting extra resources from professional users > (e.g. via a Foundation campaign). > > -- > Walter Hop | PGP key: https://lifeforms.nl/pgp > -- ------- inum: 883510009902611 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
