Batching errata & advisories in heaps degrades security.

[Benjamin Kaduk]

On Thu, 5 May 2016, Julian H. Stacey wrote:

> Another bunch of Security alerts, degrades FreeBSD by being clumped together:
>
> I guess many recipients get tired of recent indigestable batches of
> multiple FreeBSD Errata & think approx:

I cannot recall whether you were participating in the discussion the last
time this topic came up.  Regardless, it feels like it was somewhat recent
(a year or so).

>   _Why_ have they been artificially batching in last years ?
>   I could spare time to interrupt work for one priority alert,
>   Not for a heap batched seconds apart ! _Why_ ?!
>   I have no time now to action all this heap ! Maybe later ...
>     ( & meanwhile security @ FreeBSD could complacently think:
>     "We published all 4, if you don't immediately find time to
>      secure all 4 & someone abuses you, don't blame us !" )
>   Are they batched in delusion it will help FreeBSD public relations,
>   to not scare people with too many days with FreeBSD alerts ?
>   Batching _Degrades_ security.  It is bad over-management,
>   FreeBSD was better previously without batching, publishing each
>   problem when analysed, Not held back for batching.

As a member of the security team for two projects (not FreeBSD's, though),
I can say that it is a lot of behind-the-scenes work to put out
advisories, and batching them reduces the unit cost of any given one.

I further note that this recent batch that you are complaining about,
contained only one security advisory and three errata notices; the
contents of the errata notices have been public for quite some time, and
affected parties welcome to upgrade at their leisure [manually, without
freebsd-update, of course].

We can perhaps agree to disagree about whether the batching is good, but I
do not see much value in rehashing the same arguments periodically.

-Ben