Re: Preferential notice of new versions
On Sat, 03 February 2001, Adam Rothschild wrote:
On Sat, Feb 03, 2001 at 10:00:51PM -0800, Joe Rhett wrote:
Sure they do! Try reading the website once or twice. Then you can take your foot out of your mouth.
I did. Seems pretty clear that, unless you're a TLD server operator or large and respected OS vendor, they don't want to provide you with early advisories, paid or otherwise.
It seems pretty clear if you don't pay, you receive exactly the same advisories you receive now. No more, no less, no sooner, no later. CERT has always told a few other groups about vulnerabilities prior to their public release of advisories (vendors, some affected parties, etc). If anything, ISC's comments seem directed at CERT's procedures. Instead of trying to pass the information back and forth through CERT, ISC is adding a direct mechanism for the same groups to communicate. It doesn't affect any of the other existing communication channels. CERT issues a public alert about a vulnerability on its schedule. BUGTRAQ users continue to post exploits when and how they choose. And as always, the source code for all ISC released versions of BIND are available, so you can find all the flaws yourself. I will, and have, flogged Paul for doing stuff; but I'm afraid I don't understand the uproar about this one. I suspect there is another way to get yourself on the "list." Find and fix some significant bugs in BIND.
On 4 Feb 2001, Sean Donelan wrote:
It seems pretty clear if you don't pay, you receive exactly the same advisories you receive now. No more, no less, no sooner, no later.
CERT has always told a few other groups about vulnerabilities prior to their public release of advisories (vendors, some affected parties, etc).
The odd thing is, I think Paul said past and future security notifications have been and will be distributed via CERT (to non-bind-members). I could be wrong, but I don't think I've ever gotten initial notification of a BIND security problem from CERT. Heck...even this most recent one was first publicized via nanog several days before the CERT notification. Obviously, if the masses have to wait for CERT, we will be getting later notification than in the past. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
The odd thing is, I think Paul said past and future security notifications have been and will be distributed via CERT (to non-bind-members). I could be wrong, but I don't think I've ever gotten initial notification of a BIND security problem from CERT. Heck...even this most recent one was first publicized via nanog several days before the CERT notification.
Paul has repeatedly stated that nothing will change about how notifications are done, thus you can probably expect to see a notification here in advance of CERT. Note that I'm not speaking for Paul, ISC, etc. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
participants (3)
-
jlewis@lewis.org
-
Joe Rhett
-
Sean Donelan