Ben Greenbaum wrote:
> As I expected, there has been a flood of responses to the news about ISC's
> plan for a bind-members program. Rather than approve each, I have
> summarized many of them here.
Personally, from what I'm seeing in these responses, a lot of people are
jumping to conclusions, and trying to make this a much bigger issue than
it really is. I get the feeling people saw "members only" and "fee-based",
and immediately assumed -everything- was changing. But it's not. Some
1) Nowhere in the announcement did it say that they intend to close up
any existing mailing lists, nor did it say anything about making the existing
source tarballs no longer available. All of that is going to stay the same
as it is currently.
2) Nowhere in the announcement did it say that they would not continue to
provide general security announcements and product releases to the community
3) The "members only" early notification list is already something that is
done on an ad-hoc basis. ISC developers knew about the bugs when they were
first notified about it. They worked on fixes for them, and got releases
ready to go. They also notified key vendors that a security hole existed
and that the updates were on the way. (The FreeBSD security officer said
they were notified sometime last week, days before the releases were available
and the CERT announcement was made.) This is just a formalization of that
4) As for the NDAs, I don't think that's a bad idea, given all of the above.
As with all things it's difficult to form a totally valid opinion without all
the facts in evidence, but to me it looks much more like this: "We will give
you early access to information about pending releases and security announcements
so that you can get your products updated and releases ready for your customers.
In return, we will require you to keep this early information to yourself until
we make our official public announcement." I know there are different opinions
on the issue of full/immediate disclosure vs. delayed disclosure and giving a
vendor a chance to get fixes ready, and -that- issue will never reach a point
where everybody agrees. But really, the ISC announcement is just making the
"delayed disclosure to allow fixes to be ready" issue a bit more formalized,
and the NDA allows them to "safely" extend it to cover not just ISC, but the
vendors that depend on ISC for their own products.
5) Fees. This is probably the most questionable of things, but unless the fees
are sky-high, I don't think it's totally unreasonable. A more formalized structure,
with extra benefits such as security training and such, virtually requires cash
to be able to run efficiently. And the fee exception for non-profits is a good
It really isn't that drastic of a change, people. Nothing that you currently have
is going to change or go away. They're just adding a new service and channel of
information for certain classes of entities. I don't think that's bad at all. And
frankly, I like the idea of formalizing the process, and letting vendors who use
BIND get product updates and their own security announcements ready to go all at
once, so that when the "big" public announcement is made, patches and such are
fully ready to go.