On Fri, 9 Feb 2001, Martin wrote:
> As you are probably aware, this is not so cut and dried. I don't want to
> start a holy war, or feed one even, but this statement would seem to be
> silly, even at first glance. The "cost" of notifying vendors quickly
I'm always up for a good holy war.....
> about security holes? Considering the ISC already maintains mailing
> lists, having a mailing list for BIND bugs which they're finding ANYWAY
> shouldn't really be costing them anything. Whether or not they're
> justified in creating this list is outside the scope of this document.
It *is* worth looking back over the past BIND bug list and public
disclosure and seeing which vendor-shipped products had fixes available
prior to the exploits being published. While the "for money" bit may be
debatable, I think anyone who thinks that giving the vendors using BIND
source code in their products a little advanced warning is
counter-productive to overall security might have questionable motives.
Expanding the cloud from root server operators to them plus vendors who
ship BIND seems to be not really earth-shattering for those of us not in
the group of root server operators who would have gotten such
notifications in the past.
> For me, the "hidden list" was the final straw. I switched to djbdns, and
> am VERY happy with it.
That makes me _really_ curious- You're saying that the long history of
remotely exploitable holes wasn't the final straw, but simply the fact
that vendors who get commercial gain out of shipping BIND in their
products having to pay for advanced notification tipped the bucket?
Don't get me wrong, I think djbdns is a good thing, I'm just really
curious about the motivation to switch, since I've had serious friction
from people who I recommended the switch to in the past.
Heck, if DJB went to a BSD license I'm sure he'd get a lot of traction,
but of course that doesn't seem to be his motivator.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
