On Wed, May 15, 2019 at 9:14 PM Miroslav Lachman <000.f...@quip.cz> wrote: > > Mel Pilgrim wrote on 2019/05/16 02:30: > > [...] > > > By batching updates, FreeBSD is making administrative decisions for > > other people's systems. Some folks don't need to worry about scheduling > > downtime and will benefit from faster update availability. Folks who > > need to worry about scheduling downtime are already going to batch > > updates and should be allowed to make those decisions for themselves. > > Batched SAs help in neither case. > > > > Example: the ntpd CVE is more than two months old, and was rapidly fixed > > in ports. I was able to switch my systems to the ports ntpd during a > > scheduled downtime window in March instead of doing it this weekend. So > > not only did I benefit from the faster update availability, I was able > > to make my own decision about my own systems and significantly reduce my > > exposure. > > > > Don't be Microsoft. Don't sit on security updates. > > +1 > > Delaying / hiding security updates cannot be good. The vulnerability > already exists. Delayed updates do favor to "bad persons", not > sysadmins. Even information about found vulnerability is more valuable > for sysadmins than silence. Some vulnerabilities can be mitigated by > configuration changes or some service replacement (eg. ntpd). But if I > don't know that there is some vulnerability I cannot do anything. > > It would also be good if base system vulnerabilities are first published > in FreeBSD vuxml. Then it can be reported to sysadmins by package > security/base-audit.
+1. Reporting base + ports vulnerabilities in a common way would be great. I assume that this is already part of the pkgbase project being worked on by brd and others. > > None of these recent Sec. Advisories are listed in Vuxml yet! It's bad > example of not dog fooding there. > > I am not saying that FreeBSD SO do bad work. I really appreciate it. But > there is still something to improve. > > Kind regards > Miroslav Lachman _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
