[18944] in bugtraq
Re: Security information for dollars?
daemon@ATHENA.MIT.EDU (Peter Jeremy)
Fri Feb 2 03:46:15 2001
Content-Return: prohibited
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM, Theo de Raadt
<deraadt@CVS.OPENBSD.ORG>, Paul A Vixie <Paul_Vixie@isc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010202080607.J52423@gsmx07.alcatel.com.au>
Date: Fri, 2 Feb 2001 08:06:07 +1100
Reply-To: Peter Jeremy <peter.jeremy@ALCATEL.COM.AU>
From: Peter Jeremy <peter.jeremy@ALCATEL.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200102010102.f1112mb19975@cvs.openbsd.org>; from
deraadt@CVS.OPENBSD.ORG on Wed, Jan 31, 2001 at 06:02:48PM -0700
On 2001-Jan-31 18:02:48 -0700, Theo de Raadt <deraadt@CVS.OPENBSD.ORG> wrote:
>What does the community think of this change in direction?
Given the importance of BIND to the Internet, I can see the benefits
in having a closed group to handle security-related issues. As long
as the membership is intended to provide a forum where security
problems can be diagnosed and corrected without premature disclosure,
it would seem to be a good idea. If the intent is to provide a closed
group with access to an `enhanced' BIND (and I don't believe it is),
then I would be opposed to it.
Overall, I have no problems with the creation of a "bind-members" group
as long as:
- The 'free' Unices (*BSD, various Linux distributions) are not
(effectively) prevented from participating by requiring more than
a nominal membership fee or other impediments.
- BIND source code remains freely available (at least for RELEASE and
maybe BETA versions).
- Membership benefits do not include access to enhancements that are
not publicly available
- Security fixes and announcements are made publicly available in a
timely manner.
- The NDA requirements only cover details of bugs prior to their
public announcement. Once a fix has been publicly announced,
members are free to discuss the details of the problem.
Peter
