On 2001-Jan-31 18:02:48 -0700, Theo de Raadt <[EMAIL PROTECTED]> wrote:
>What does the community think of this change in direction?
Given the importance of BIND to the Internet, I can see the benefits
in having a closed group to handle security-related issues. As long
as the membership is intended to provide a forum where security
problems can be diagnosed and corrected without premature disclosure,
it would seem to be a good idea. If the intent is to provide a closed
group with access to an `enhanced' BIND (and I don't believe it is),
then I would be opposed to it.
Overall, I have no problems with the creation of a "bind-members" group
as long as:
- The 'free' Unices (*BSD, various Linux distributions) are not
(effectively) prevented from participating by requiring more than
a nominal membership fee or other impediments.
- BIND source code remains freely available (at least for RELEASE and
maybe BETA versions).
- Membership benefits do not include access to enhancements that are
not publicly available
- Security fixes and announcements are made publicly available in a
timely manner.
- The NDA requirements only cover details of bugs prior to their
public announcement. Once a fix has been publicly announced,
members are free to discuss the details of the problem.
Peter
