PRE-ANNOUNCEMENT: BIND-Members Forum
Jeff Schreiber
schreiber at process.com
Thu Feb 1 16:04:43 UTC 2001
>On Wed, Jan 31, 2001 at 10:44:46PM -0500, Brooklyn Linux Solutions CEO wrote:
>> This is complete and utter non-sense.
>> When a vurnbaility becomes known it's important for EVERYONE to
>> know about it and the remady....not just a select few
>
I'm looking at this from a 3rd party vendor that ports BIND to another
platform. I've been trying to find a solution to the hell that occurs
when a BIND related CERT advisory comes out. In the time that I've
been dealing with our ports of BIND, there has been a number of security
advisories that have been released, and with the exception of one, they
have all come as a surprise to me.
I find out about the holes at the same time my customers find out about
the holes. I then have to figure out what the problem is, prepare an
official response, and figure out what the fix might be, all while being
distracted by the flood of e-mails and phone calls demanding an official
response for something that was a surprise.
As far as the proposal for this new list goes, I'm all for it. Fee based
or not fee based, I don't really care [I may care if I get a 'no' back
from my powers that be]. Any pre-warning is better than what I have to
go through now.
I'm not in a situation where I can just download the code, compile it,
throw it into a patch and get it to my customers. I need time to port
the changes and make sure they run on my platform.
This list doesn't add delay or anything like that. Look at any CERT
advisory. With every CERT advisory, there is vendor responses. Those
vendors obviously were notified as the advisory was being written so
they could deal with the issues and have a solution provided. The only
difference this list makes is that the smaller vendors that supply BIND
or code based on BIND have the same chance to prepare responses and fixes
to their customers prior to global notification.
So I'm all for the idea. It's not adding any secrecy at all, it's just
an avenue ISC can use to notify those others that need to know to give
them the same chance to prepare as ISC and the major vendors get.
-Jeff Schreiber
More information about the bind-users
mailing list