Re: Security information for dollars?
From: Peter Jeremy [EMAIL PROTECTED] What does the community think of this change in direction? Given the importance of BIND to the Internet, I can see the benefits in having a closed group to handle security-related issues. As long as the membership is intended to provide a forum where security problems can be diagnosed and corrected without premature disclosure, it would seem to be a good idea. That's the plan. If the intent is to provide a closed group with access to an `enhanced' BIND (and I don't believe it is), then I would be opposed to it. That's NOT the plan. Overall, I have no problems with the creation of a "bind-members" group as long as: - The 'free' Unices (*BSD, various Linux distributions) are not (effectively) prevented from participating by requiring more than a nominal membership fee or other impediments. That's the plan. - BIND source code remains freely available (at least for RELEASE and maybe BETA versions). That's the plan. - Membership benefits do not include access to enhancements that are not publicly available That's the plan. - Security fixes and announcements are made publicly available in a timely manner. That's the plan. (Same as now: via CERT). - The NDA requirements only cover details of bugs prior to their public announcement. Once a fix has been publicly announced, members are free to discuss the details of the problem. That's the plan.
Re: kyxspam: isc loses mind
Sorry for the strong words, but the ISC is fucked up, apparently. But I should have guessed that when I first (tried to) read the later versions of bind source (with apologies to Bill Norton the original project manager for that development). I just had to be slapped in the face with it again, repeatedly, to wake up to this harsh reality. Someone, please, tell me there is an another alternative - because with the direction it's headed now, the Internet based on bind isn't looking like it's going to be a very good, reliable, or secure, network. what you need can be found at http://www.isc.org/products/BIND/bind9.html. (anyone who looked at bind4's internals, or bind8's, and puked, needs to look at bind9, which is completely different.)
Re: Security information for dollars?
This won't help anything other than giving the organizations with more money/resources an advantage over others. IMHO, if you want to stomp out the problem, you need to disseminate it far and wide (along with the solution), which will render the hole useless to those that would exploit it. that's an important viewpoint and i thank you for airing it. However, decisions like these may lead to alternatives to BIND (some of which may work much better) - - so if they want to run themselves out of business, falling victim to people that understand the need for full-disclosure.. *shrug* i am amazed at the continuous supply of dupes who are willing to believe the kinds of factual errors promulgated by posts like theo's. he said: What does the community think of this change in direction? it's not a change in direction, as explained separately. (there is no plan to stop doing what isc has always done, which is work with cert to propagate security information to the public in responsible ways. but, isc also needs direct relationships to the vendors involved. this is it.)
