[18969] in bugtraq
Re: Security information for dollars?
daemon@ATHENA.MIT.EDU (Kristofer Coward)
Fri Feb 2 18:45:27 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SGI.3.96.1010202124226.21275K-100000@snow.utoronto.ca>
Date: Fri, 2 Feb 2001 12:51:19 -0500
Reply-To: Kristofer Coward <kris@SNOW.UTORONTO.CA>
From: Kristofer Coward <kris@SNOW.UTORONTO.CA>
X-To: Cooper <Cooper@LINUXFAN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A79D041.230A21C1@Linuxfan.com>
> 1. Inform the BIND developers.
>
> They will privately handle the issue, create some sort of patch or
> update and then send out a notification so that people know they need to
> upgrade. A day or so later the exploit for the problem can go public and
> everybody's happy. This is probably the way most people on this list
> would like things to be.
>
> Now, could someone explain to me why a select list of individuals should
> get an earlier warning?
> Where, given the above options (and include more if you think there are
> any), is there a real advantage in having a select few be aware of the
> problem in order to whip out a fix?
I suspect what is going on is that this select group of people is getting
counted among the developers for scenarios like the first ideal you
suggest. Only instead of contributing code (not to say they won't
contribute code) they pay (or are included because they run root
nameservers). I don't expect disclosure would be delayed for any of their
sake, they just get to start packaging (or applying in the case of root
and TLD nameservers) the fixes as soon as they hit the CVS tree instead of
as soon as they hit the mailing lists.
Basically, I think those of us in the rest of the world (i.e. not the ISC
or distributors) aren't going to see any difference apart from our vendors
providing update packages a few hours earlier.
Kris Coward
