freebsd security - May 2016 - Batching errata & advisories in heaps degrades security.

On Thu, 5 May 2016, Julian H. Stacey wrote:
> Another bunch of Security alerts, degrades FreeBSD by being clumped
together:
>
> I guess many recipients get tired of recent indigestable batches of
> multiple FreeBSD Errata & think approx:
I cannot recall whether you were participating in the discussion the last
time this topic came up.  Regardless, it feels like it was somewhat recent
(a year or so).
>   _Why_ have they been artificially batching in last years ?
>   I could spare time to interrupt work for one priority alert,
>   Not for a heap batched seconds apart ! _Why_ ?!
>   I have no time now to action all this heap ! Maybe later ...
>     ( & meanwhile security @ FreeBSD could complacently think:
>     "We published all 4, if you don't immediately find time to
>      secure all 4 & someone abuses you, don't blame us !" )
>   Are they batched in delusion it will help FreeBSD public relations,
>   to not scare people with too many days with FreeBSD alerts ?
>   Batching _Degrades_ security.  It is bad over-management,
>   FreeBSD was better previously without batching, publishing each
>   problem when analysed, Not held back for batching.
As a member of the security team for two projects (not FreeBSD's, though),
I can say that it is a lot of behind-the-scenes work to put out
advisories, and batching them reduces the unit cost of any given one.

I further note that this recent batch that you are complaining about,
contained only one security advisory and three errata notices; the
contents of the errata notices have been public for quite some time, and
affected parties welcome to upgrade at their leisure [manually, without
freebsd-update, of course].

We can perhaps agree to disagree about whether the batching is good, but I
do not see much value in rehashing the same arguments periodically.

-Ben

Benjamin Kaduk wrote:
> As a member of the security team for two projects (not FreeBSD's,
though),
> I can say that it is a lot of behind-the-scenes work to put out
> advisories,
Of course.
> and batching them reduces the unit cost of any given one.
If so, their issue, not ours.  Our concern is FreeBSD.

> the
> contents of the errata notices have been public for quite some time
URLs ? If info was complete early, delaying those announcement
degraded security of recipients. Batching also swamps recipients.

Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/
 Mail plain text,  No quoted-printable, HTML, base64, MS.doc.
 Prefix old lines '> '  Reply below old, like play script.  Break
lines by 80.
 Brexit: Meeting +UK blocks votes of Brits in EU  http://www.berklix.eu/brexit/