Re: Sysadmins, or....
I think this has to be one of the dumbest things I've ever seen and it's making me seriously doubt the wisdom of using Exim anymore.
Releasing security updates when most sysadmins, network admins, change control board and service desk staff are on holiday just opens the door for hackers to exploit the bug for a week before anyone can do anything about it. It may be an open source project, but the software is run by professional institutions who have change management processes and testing processes in place that they have to go through before deploying a new version. It isn't a case of SSH in, compile up the new version with all the bells and whistles and stick it in place. There are plugins and boundary cases that'll need testing against the new version so unless we want to give up Christmas Day and Boxing Day we have to just live with the fact that Exim may get hacked or turn off the mail system.
Microsoft release their patches on a Tuesday which shows they've thought about this and realised when would be the best time to release a patch so that the sys admins have the best opportunity to test and deploy in the shortest timeframe. Only when they see live exploits of a bug do they rush out a patch.
Unfortunately Exim now seems to be aimed at the hobbyist mail administrator who is available on Christmas Day and not at the large institution who would struggle to get enough of the IT team to work Christmas Day to roll out an upgrade.