freebsd security - May 2016 - Batching errata & advisories in heaps degrades security.

Another bunch of Security alerts, degrades FreeBSD by being clumped together:

  Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:17.openssl
  Date: Wed,  4 May 2016 22:55:46 +0000 (UTC)
  
  Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:06.libc
  Date: Wed,  4 May 2016 22:56:31 +0000 (UTC)
  
  Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:08.zfs
  Date: Wed,  4 May 2016 22:56:40 +0000 (UTC)
  
  Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:07.ipi
  Date: Wed,  4 May 2016 22:56:35 +0000 (UTC)

I guess many recipients get tired of recent indigestable batches of 
multiple FreeBSD Errata & think approx:

  _Why_ have they been artificially batching in last years ?
  I could spare time to interrupt work for one priority alert,
  Not for a heap batched seconds apart ! _Why_ ?!
  I have no time now to action all this heap ! Maybe later ...
    ( & meanwhile security @ FreeBSD could complacently think:
    "We published all 4, if you don't immediately find time to 
     secure all 4 & someone abuses you, don't blame us !" )
  Are they batched in delusion it will help FreeBSD public relations,
  to not scare people with too many days with FreeBSD alerts ?
  Batching _Degrades_ security.  It is bad over-management,
  FreeBSD was better previously without batching, publishing each
  problem when analysed, Not held back for batching.

Cheers,
Julian
-- 
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/
 Mail plain text,  No quoted-printable, HTML, base64, MS.doc.
 Prefix old lines '> '  Reply below old, like play script.  Break
lines by 80.
 Brexit: Meeting +UK blocks votes of Brits in EU  http://www.berklix.eu/brexit/

On Thu, 5 May 2016, Julian H. Stacey wrote:
> Another bunch of Security alerts, degrades FreeBSD by being clumped
together:
>
> I guess many recipients get tired of recent indigestable batches of
> multiple FreeBSD Errata & think approx:
I cannot recall whether you were participating in the discussion the last
time this topic came up.  Regardless, it feels like it was somewhat recent
(a year or so).
>   _Why_ have they been artificially batching in last years ?
>   I could spare time to interrupt work for one priority alert,
>   Not for a heap batched seconds apart ! _Why_ ?!
>   I have no time now to action all this heap ! Maybe later ...
>     ( & meanwhile security @ FreeBSD could complacently think:
>     "We published all 4, if you don't immediately find time to
>      secure all 4 & someone abuses you, don't blame us !" )
>   Are they batched in delusion it will help FreeBSD public relations,
>   to not scare people with too many days with FreeBSD alerts ?
>   Batching _Degrades_ security.  It is bad over-management,
>   FreeBSD was better previously without batching, publishing each
>   problem when analysed, Not held back for batching.
As a member of the security team for two projects (not FreeBSD's, though),
I can say that it is a lot of behind-the-scenes work to put out
advisories, and batching them reduces the unit cost of any given one.

I further note that this recent batch that you are complaining about,
contained only one security advisory and three errata notices; the
contents of the errata notices have been public for quite some time, and
affected parties welcome to upgrade at their leisure [manually, without
freebsd-update, of course].

We can perhaps agree to disagree about whether the batching is good, but I
do not see much value in rehashing the same arguments periodically.

-Ben