Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 24 Apr 2013 12:49:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Dag-Erling Smørgrav <des@....no>
Subject: Re: Advisory dates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 09:00 AM, Dag-Erling Smørgrav wrote:
> I'm curious as to what kind of policies various distros have in
> place wrt release dates for advisories.  We (FreeBSD) have a list
> of dates to avoid, which include major religious holidays, New
> Year's Day etc., and try to avoid releasing advisories on or
> immediately before these dates. But May is often problematic, with
> May Day (May 1st) and Liberation Day (May 8th in Western Europe,
> May 9th in Eastern Europe) clustered together.  An early Easter
> adds Ascension to the mix (May 17th last year, May 9th this year).
> A late Easter is even worse: the Holy Week in late April, followed
> by a four-day week, with the next week cut short by May 1st and the
> one after that amputated by May 8th / 9th.
> 
> Not to mention national or regional holidays such as Cinco de Mayo
> (May 5th, obviously) or Norway's Constitution Day (May 17th)...
> 
> How do you deal with situations like this?  And do you have
> documented policies or guidelines?

Ultimately if we start scoring off major holidays we've have no
release dates left ;)

In general Red Hat goes by major North American statutory holidays
(many of which tend to be global, e.g. Christmas). We also do our best
to avoid North American Friday (which is Saturday in Europe/Asia) and
North American Saturday/Sunday as well. Other than that we tend to
release as needed:

https://www.redhat.com/archives/rhsa-announce/2013-April/date.html

and so on. Also some historical data on which weekdays/times are the
busiest:

http://www.awe.com/mark/blog/20111111.html

> DES


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReCkiAAoJEBYNRVNeJnmTFq4P/0KfKYmig+pL8S/6hDXN42L/
fBUFP+l7vFGbVRcY4ycWRrTHUR+k0WrsP4SsVbkNDWHTT9x83lzRLSlAlHJ6Uw0C
YFN6uBQpNjpeh/qqzUSxg3jx0O1y/TyY+yB2U6Mu5JY+2tZMHzC2/NI/hxBbKAbz
hjEN7vZOnmSa6cw83x0ps6Zuz4RnzIi6Eon51AMZ+xuqhREM1q08SsLlaLERj+a3
D0jzAQAv8sscO+ROlCA/hTW1UTkzsSWTBRb55RS6WzlYXwZ28fn7mLh8zE7FwIAC
yBJAqy1awSpktCEBmMayiohI7ZHAV70cNmP7crJZIACrfElmHp9F0Dpuuf24abv3
qXsm3d9i8a3QslIc77kYO7W2ya5NJfmQ0gIOBvLXLsvEBPNDu2KZtiY1tHfoe++l
FMHP1OFsLEIftFH5UxIljQcvVPw5DFimFPW5UA+QwzNJVm2hzf4hZb0LjLqayPIW
qG/CC0yrWC3ohh5Mh2y8GD5MRxROxkKluFM1s7+A/bXfF0E4IHY0zDsSrNawaRsF
GCsb4Y1Zn+YmD+WxoSa6Tqk9ysii8+g7O21cUeNBRskXp5xYVlTuM4n9V96FJXFs
Pyzwy5IfHDdAm26oB4eOiD0Y3I5arlORgB8mIg0R6YMwsT6US6j5SONIdn/nHr+H
fFCT7x5pmGXQkkU3LaQn
=JOPE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.