freebsd security - Apr 2014 - Proposal (Was: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl)

On 9 April 2014 00:34, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
============================================================================>
FreeBSD-SA-14:06.openssl                                    Security Advisory
>                                                           The FreeBSD
Project
>
> Topic:          OpenSSL multiple vulnerabilities
>
> Category:       contrib
> Module:         openssl
> Announced:      2014-04-08
> Affects:        All supported versions of FreeBSD.
> Corrected:      2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
>                 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
>                 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
>                 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
>                 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
>                 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
>                 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
>                 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
> CVE Name:       CVE-2014-0076, CVE-2014-0160
>
Thank you for finally patching that vulnerability. Many of us, FreeBSD
users, are deeply concerned about security. Yesterday we had a very
busy day on #FreeBSD on freenode with many people asking why there is
no SA and how to mitigate the thread or patch it on their own.

I understand that this is voluntary role and you have another (real
life) responsibilities that?s why I'd like to propose an idea of (at
least partially) paid position of Security Officer, because we all
need quick and efficient response in cases like that.

FreeBSD Community has a good history of paying for work, many of us
supported phk@ in 2004, and recently FreeBSD Foundation hired several
people to work for all of us. Because I've no idea how Foundation had
planned a budget for this year, I don't know if there are any money
that can be allocated for that position. If not, maybe Foundation can
conduct additional public fundraising for that purpose?




-- 
One of God's own prototypes. A high-powered mutant of some kind never
even considered for mass production. Too weird to live, and too rare to die.

Pawel Biernacki <pawel.biernacki at gmail.com>
writes:
> I understand that this is voluntary role and you have another (real
> life) responsibilities that?s why I'd like to propose an idea of (at
> least partially) paid position of Security Officer, because we all
> need quick and efficient response in cases like that.
Having a paid Security Officer would not have made any difference.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no