On Sat, Feb 03, 2001 at 02:11:25PM -0500, Adam Rothschild wrote:
On Sat, Feb 03, 2001 at 10:24:58AM -0800, Paul Vixie wrote:
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
I'm a bit confused. Under this arrangement, what incentive is there for security-conscious common people to run BIND as a name server, rather than its various alternatives, most of which don't require preferential treatment in order to get timely security advisories/fixes?
Will the ISC implement similar policies with its INN and DHCP software in the foreseeable future, or is this something unique to BIND?
FWIW, here's djb's analysis of the current situation, which he posted recently on the dns@list.cr.yp.to mailing list: | The Vixie cluster of companies---Vixie Enterprises, Nominum, Vayusphere, | PAIX, M.I.B.H. (swalloed by Metromedia), etc.---is already doing its | best to make money off BIND. They give us configuration problems and | then sell support services; they give us reliability problems and then | sell backup services; they give us security problems and then sell early | access to security information. | | The natural next step is for them to start selling a BIND Pro with early | access to features and bug fixes that'll be added someday to the free | BIND. BIND isn't under the GPL, so there's no legal obstacle to this. | | ---Dan --Adam