[34301] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Reasons why BIND isn't being upgraded

daemon@ATHENA.MIT.EDU (Joe Rhett)
Fri Feb 2 16:35:21 2001

Date: Fri, 2 Feb 2001 13:31:04 -0800
From: Joe Rhett <jrhett@isite.net>
To: Patrick Greenwell <patrick@cybernothing.org>
Cc: Bill Woodcock <woody@zocalo.net>, nanog@merit.edu
Message-ID: <20010202133104.B26023@isite.net>
Mail-Followup-To: Patrick Greenwell <patrick@cybernothing.org>,
	Bill Woodcock <woody@zocalo.net>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0102021104020.40888-100000@localhost>; from patrick@cybernothing.org on Fri, Feb 02, 2001 at 11:13:56AM -0800
Errors-To: owner-nanog-outgoing@merit.edu


> Without rehashing the whole "open-disclosure" vs. "non-disclosure" 
> arguments related to security issues in software, or the historically
> extreme inadequacies of CERT in offering timely notification of ANY 
> security-related issues, it's very disappointing to see ISC resort to a
> fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and
> "we'll update people via CERT" method of dealing with the community they
> have served for so long.
> 
> I would have hoped by now that lists such as Bugtraq would have adequately 
> exhibited the folly of such methodologies. 
 
The purpose of the list doesn't appear to circumvent Bugtraq -- you're
comparing two different issues. As I understand it, this list is
specifically for software vendors and root operators to get immediate
notification and patches to fix the bug in advance. You're confusing
a software patch support channel with a security response channel, which
ISC's list isn't intended to me. AFAIK -- I'm not related to ISC.

You also missed the note that non-for-profit and educational institutions
are free to join, and any other group may apply for similar status.

I frankly enjoy getting patches and having a few hours to apply them 
before the remaining world can start diffing the patches. This is true of
any channel. I don't always have time to read Bugtraq's high noise ratio.
I deeply appreciate any software vendor who provides direct notification to
paying support clients. This makes perfect sense.

-- 
Joe Rhett                                         Chief Technology Officer
JRhett@ISite.Net                                      ISite Services, Inc.

PGP keys and contact information:          http://www.noc.isite.net/Staff/
home help back first fref pref prev next nref lref last post