On Fri, Feb 02, 2001 at 07:06:23AM -0600, Shalon Wood ([EMAIL PROTECTED]) was heard to 
have said:
> Cooper <[EMAIL PROTECTED]> writes:
> > Now, could someone explain to me why a select list of individuals should
> > get an earlier warning?
> I think this is the crux of the matter. Before you can say that this
> is a good idea, you first have to show that some people should get
> early notice. Quite frankly, I can see a *very* strong argument in
> favor of the root servers, CCTLD, &c operators getting advance
> notice. I can't think of *any* good reason for anyone else to get
> it. Sun, HP, IBM -- none of those are critical infrastructure.

While there has been a lot of hyperbole strewn about on this topic, I
figured I'd go out on a very long, slender limb and agree with the
stated purpose of this new conspiracy/cabal/clique/whatever.

I agree that TLDs should have early access to security related issues.
I can also make the same argument for vendors who ship bind as part of
their offerings, especially OS vendors like Sun, HP and IBM.

While most people who read this list are quite happy to go to ISC and
fetch the most recent code at the announcement of a bug, there are
*literally millions* of people who rely on the vendor to ship them an
updated version so they can pkgadd/swinstall/rpm it into place.  They
don't have the interest/skills/whatever necessary to maintain their own
versions of utilities they get from their vendor.  To them, named is
*part of the OS*, not something you hack into place by typing

Is it fair to them to delay a timely response from their vendor (who
are, by the nature of the size and scope of their operations, slower
than glaciers at releasing fixes) when that vendor could (and should)
have advance notice of a security flaw for which there are no known
exploits in the real world?  Sure, we can argue that vendors *should* be
faster, but that doesn't get the work done.

Flame away!



                                                     GREYMOUSER CONSULTING
              System, Network and Security Architecture and Administration
                          for Central Virginia (http://www.greymouser.com)
* S o l a r i s  *  H P - U X  *   L I N U X   *   W  i n d o w s   N T  *

Reply via email to