[34395] in North American Network Operators' Group
Re: Preferential notice of new versions
daemon@ATHENA.MIT.EDU (J Bacher)
Sun Feb 4 09:56:19 2001
Date: Sun, 4 Feb 2001 08:54:19 -0600 (CST)
From: J Bacher <jb@jbacher.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <20010204031023.22202.cpmta@c004.sfo.cp.net>
Message-ID: <Pine.OSF.4.21.0102040842180.8969-100000@ns.shawneelink.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> As far as I can tell, ISC did not say they would stop distributing patches
> through the same methods used now. If you don't want to pay, you will
> get the exact same patches, through the exact same methods you get them
> now. Which is pretty good for "free" software. If you get BIND via a
> vendor distribution, such as AIX, Solaris, OSF/1, Redhat, etc; your support
> channels will not change.
>
> I suspect the reality will be those companies paying ISC for "advanced
> notice" will get some warm fuzzy feelings, and let management feel
> they've done something. But it doesn't alter the fact the software
> had a vulnerability, and someone else could have found the hole long
> before any advanced notice is issued by ISC. How many folks will now
> query the root-name servers CHAOS version numbers looking for a change.
A couple of points on these issues:
1) Noone has suggested that the current public distribution would go
away. What has been a point of concern is that the public may have to
wait [too long?] for vendors to get their act together and publish patches
before the new release hits the general distribution. A good many
companies don't rely on vendor patches.
2) Advanced notice has been called "paranoia" and "warm fuzzy". What it
really is -- is the opportunity to have a bit of time for planning instead
of engaging the gears for emergency mode.
