On 09/04/2014 16:17, Walter Hop wrote: >> In my opinion this issue couldn't have been handled any better consideri= ng what it takes to do the job properly, congrats to the security team from= me. >> >> -Kimmo > > Please don=92t frame this as criticism of the security people, that=92s n= ot fair. Of course we all congratulate them :) > > I think we=92re just interested in discussing what could be improved to i= mprove response time and also make their lives better. > > Do we need moar Jenkins? Extra build boxes? More cash to keep people on r= etainer? Resources for training new people? Liaisons with other projects to= improve prior notification channels? Etc. > > FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base= about an hour later, FreeBSD base took around 24 hours. Not super bad, but= I think it=92s safe to expect much more scrutiny of security-critical code= in the coming years, so it looks like a good time to try to streamline if = possible at all. > > The public attention for this and similar events may also provide a uniqu= e window of opportunity for soliciting extra resources from professional us= ers (e.g. via a Foundation campaign). > 24 hours for a fix that doesn't break ABI and is relatively simple (and = proven to be fine by other distros) is horrendous for such a critical = problem. I mentioned this on twitter also, but there wasn't even a = headsup from the SO until the patch went live. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"