PRE-ANNOUNCEMENT: BIND-Members Forum
Joseph S D Yao
jsdy at cospo.osis.gov
Thu Feb 1 19:35:04 UTC 2001
On Wed, Jan 31, 2001 at 08:39:35PM -0500, Jeffrey C. Albro wrote:
> On Wed, 31 Jan 2001, Cricket Liu wrote:
> > > This is not an open source but a full/partial disclosure issue.
> >
> > No, it's not. No one is arguing that the vulnerabilities shouldn't
> > be disclosed and disclosed fully. The question is when.
>
> I agree. However, the "when" part needs to be laid out MUCH more
> clearly. If a vulnerability is found on the first of the month, and the
> main bind tree is patched by the seventh of the month, how long do you
> wait for vendors to patch their (assuming they have forked to some
> extent) version? To the 14th of the month? How long will a viable fix of
> the main source tree be held in secret?
This is a very good question, and one that should be addressed before
the organization stage of this group is finalized. Unfortunately, it
sounds like too many doomsayers are believing that somebody has it in
for them, and that the trigger points will be far past the ideal times.
Also unfortunately, given the saddening intrusion of reality into all
this, the group may not be able to come up with fixed "N-day" triggers
as you list above. However, they should probably have SOME trigger
events listed, with perhaps N-day timeouts. [Think of this as a
critical piece of fault-tolerant real-time software. ;-)]
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list