Miroslav Lachman
2019-May-16 03:13 UTC
FreeBSD flood of 8 breakage announcements in 3 mins.
Mel Pilgrim wrote on 2019/05/16 02:30: [...]> By batching updates, FreeBSD is making administrative decisions for > other people's systems.? Some folks don't need to worry about scheduling > downtime and will benefit from faster update availability.? Folks who > need to worry about scheduling downtime are already going to batch > updates and should be allowed to make those decisions for themselves. > Batched SAs help in neither case. > > Example: the ntpd CVE is more than two months old, and was rapidly fixed > in ports.? I was able to switch my systems to the ports ntpd during a > scheduled downtime window in March instead of doing it this weekend.? So > not only did I benefit from the faster update availability, I was able > to make my own decision about my own systems and significantly reduce my > exposure. > > Don't be Microsoft. Don't sit on security updates.+1 Delaying / hiding security updates cannot be good. The vulnerability already exists. Delayed updates do favor to "bad persons", not sysadmins. Even information about found vulnerability is more valuable for sysadmins than silence. Some vulnerabilities can be mitigated by configuration changes or some service replacement (eg. ntpd). But if I don't know that there is some vulnerability I cannot do anything. It would also be good if base system vulnerabilities are first published in FreeBSD vuxml. Then it can be reported to sysadmins by package security/base-audit. None of these recent Sec. Advisories are listed in Vuxml yet! It's bad example of not dog fooding there. I am not saying that FreeBSD SO do bad work. I really appreciate it. But there is still something to improve. Kind regards Miroslav Lachman
On Wed, May 15, 2019 at 9:14 PM Miroslav Lachman <000.fbsd at quip.cz> wrote:> > Mel Pilgrim wrote on 2019/05/16 02:30: > > [...] > > > By batching updates, FreeBSD is making administrative decisions for > > other people's systems. Some folks don't need to worry about scheduling > > downtime and will benefit from faster update availability. Folks who > > need to worry about scheduling downtime are already going to batch > > updates and should be allowed to make those decisions for themselves. > > Batched SAs help in neither case. > > > > Example: the ntpd CVE is more than two months old, and was rapidly fixed > > in ports. I was able to switch my systems to the ports ntpd during a > > scheduled downtime window in March instead of doing it this weekend. So > > not only did I benefit from the faster update availability, I was able > > to make my own decision about my own systems and significantly reduce my > > exposure. > > > > Don't be Microsoft. Don't sit on security updates. > > +1 > > Delaying / hiding security updates cannot be good. The vulnerability > already exists. Delayed updates do favor to "bad persons", not > sysadmins. Even information about found vulnerability is more valuable > for sysadmins than silence. Some vulnerabilities can be mitigated by > configuration changes or some service replacement (eg. ntpd). But if I > don't know that there is some vulnerability I cannot do anything. > > It would also be good if base system vulnerabilities are first published > in FreeBSD vuxml. Then it can be reported to sysadmins by package > security/base-audit.+1. Reporting base + ports vulnerabilities in a common way would be great. I assume that this is already part of the pkgbase project being worked on by brd and others.> > None of these recent Sec. Advisories are listed in Vuxml yet! It's bad > example of not dog fooding there. > > I am not saying that FreeBSD SO do bad work. I really appreciate it. But > there is still something to improve. > > Kind regards > Miroslav Lachman