[18993] in bugtraq
Re: Security information for dollars?
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Sun Feb 4 22:46:03 2001
Message-ID: <200102040444.UAA30124@redpaul.mfnx.net>
Date: Sat, 3 Feb 2001 20:44:22 -0800
Reply-To: Paul A Vixie <vixie@MFNX.NET>
From: Paul A Vixie <vixie@MFNX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Peter Jeremy <peter.jeremy@alcatel.com.au> of "Fri,
02 Feb 2001 08:06:07 +1100."
<20010202080607.J52423@gsmx07.alcatel.com.au>
> From: Peter Jeremy <peter.jeremy@alcatel.com.au>
>
> >What does the community think of this change in direction?
>
> Given the importance of BIND to the Internet, I can see the benefits
> in having a closed group to handle security-related issues. As long
> as the membership is intended to provide a forum where security
> problems can be diagnosed and corrected without premature disclosure,
> it would seem to be a good idea.
That's the plan.
> If the intent is to provide a closed group with access to an `enhanced'
> BIND (and I don't believe it is), then I would be opposed to it.
That's NOT the plan.
> Overall, I have no problems with the creation of a "bind-members" group
> as long as:
> - The 'free' Unices (*BSD, various Linux distributions) are not
> (effectively) prevented from participating by requiring more than
> a nominal membership fee or other impediments.
That's the plan.
> - BIND source code remains freely available (at least for RELEASE and
> maybe BETA versions).
That's the plan.
> - Membership benefits do not include access to enhancements that are
> not publicly available
That's the plan.
> - Security fixes and announcements are made publicly available in a
> timely manner.
That's the plan. (Same as now: via CERT).
> - The NDA requirements only cover details of bugs prior to their
> public announcement. Once a fix has been publicly announced,
> members are free to discuss the details of the problem.
That's the plan.
