PRE-ANNOUNCEMENT: BIND-Members Forum

Jeff Schreiber schreiber at process.com
Thu Feb 1 16:04:43 UTC 2001


>On Wed, Jan 31, 2001 at 10:44:46PM -0500, Brooklyn Linux Solutions CEO wrote:
>> This is complete and utter non-sense.  
>> When a vurnbaility becomes known it's important for EVERYONE to
>> know about it and the remady....not just a select few 
>

    I'm looking at this from a 3rd party vendor that ports BIND to another
    platform.  I've been trying to find a solution to the hell that occurs
    when a BIND related CERT advisory comes out.  In the time that I've
    been dealing with our ports of BIND, there has been a number of security
    advisories that have been released, and with the exception of one, they
    have all come as a surprise to me.

    I find out about the holes at the same time my customers find out about
    the holes.  I then have to figure out what the problem is, prepare an
    official response, and figure out what the fix might be, all while being
    distracted by the flood of e-mails and phone calls demanding an official
    response for something that was a surprise.

    As far as the proposal for this new list goes, I'm all for it.  Fee based
    or not fee based, I don't really care [I may care if I get a 'no' back
    from my powers that be].  Any pre-warning is better than what I have to
    go through now.

    I'm not in a situation where I can just download the code, compile it, 
    throw it into a patch and get it to my customers.  I need time to port
    the changes and make sure they run on my platform.

    This list doesn't add delay or anything like that.  Look at any CERT
    advisory.  With every CERT advisory, there is vendor responses.  Those
    vendors obviously were notified as the advisory was being written so
    they could deal with the issues and have a solution provided.  The only
    difference this list makes is that the smaller vendors that supply BIND
    or code based on BIND have the same chance to prepare responses and fixes
    to their customers prior to global notification.

    So I'm all for the idea.  It's not adding any secrecy at all, it's just
    an avenue ISC can use to notify those others that need to know to give
    them the same chance to prepare as ISC and the major vendors get.

                                                    -Jeff Schreiber



More information about the bind-users mailing list