The problem here is that a workaround wasn't communicated and I suspect
a very small number of religous users actually sub to security@ - also
bare in mmind that the website wasn't updated until a number of hours
after, including rss which I suspect most people use.
I am not trying to undermine the required testing here, but a simple
binary patch via freebsd-update to disable heartbeats would have done in
the interim (who even uses them, or knows about them).
IME issues like this need to be patched first, tested later since it
covers probably a large portion of the user base. I wll say that the
Cloudflare disclosure was entirely irresponsible and an attempt at sly
marketing, but someone should have been on this (not discounting Xin
Li's quick patch, which basically nobody saw) straight away.
If it is a case on lack of resources then as already mentioned, more
resource is available if required - although I am unaware of the
approval procedures required to publish such a patch.
Not trying to start a flame war here but we've been upstaged by CentOS
of all things...
Cheers,
Joe
On 09/04/2014 21:12, Dag-Erling Smørgrav wrote:
Nathan Dorfman <n...@rtfm.net> writes:
Is it implausible to suggest that before embarking on the task of
backporting, reviewing, testing and releasing the actual fix, an
announcement could have been made immediately with the much simpler
workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler
flags?
No, that's not implausible, although I don't know whether that
workaround was known at the time. It seems obvious in retrospect, but
may not have been that obvious under pressure. Was it mentioned in the
OpenSSL advisory?
If all you wanted to hear was "we're working on it", well, Xin did write
that almost on -security exactly 48 hours ago.
DES
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
