Re: Reasons why BIND isn't being upgraded
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
I'm confused. I get the TLD server operators part. But you're saying that you'd only give OS vendors access to this information. How long does it take, say, Sun, to issue a patch update? Wouldn't it be much more efficient, and useful, to issue the information directly to the people using the software? How many people actually use the default vendor binaries anyways? You're now playing favorites with your software, which many people have been using, and relying on, and helped you improve, for years. "Sorry, you're not important enough to get any security notifications fast. Good luck getting it when you get it". You stated "part of the internet's basic infrastructure". Explain how ISP's are not part of "the internet's basic infrastructure"? I mean, if you're going to charge for it, and have NDA's, why not allow anyone to pay for it? Depending on the price, if you're giving the info to "selected people", I know i'd pay for it (well, depending on the price). How do I know there's not going to be some script kiddie at Sun or somewhere that gets a hold of the information before I do, and doesn't care about an NDA? Why not just go the sendmail.com route, if you're going to start charging, and make it much clearer. "If you want support, etc, then pay us. Otherwise, it's just Open Source, use at your own risk". IE, *let* people make their own decision whether or not they feel it's worth the money. Think what's bothering me is that you're playing favorites, which, after so many people have been relying on bind for so long, just doesn't seem fair. But, I know, life isn't fair. All of a sudden this djbdns is starting to sound like an idea... Jeff -- Jeffrey Meltzer Sr. Network Administrator VillageWorld.com, Inc. SolarisGuide: http://www.solarisguide.com
On Sat, 3 Feb 2001, Jeffrey Meltzer wrote:
I mean, if you're going to charge for it, and have NDA's, why not allow anyone to pay for it? Depending on the price, if you're giving the info to "selected people", I know i'd pay for it (well, depending on the price). How do I know there's not going to be some script kiddie at Sun or somewhere that gets a hold of the information before I do, and doesn't care about an NDA?
Obviously, they don't want people signing up who are only interested in the information for cracking purposes...but I find it very hard to believe vendors can be notified without vulnerability info being leaked. How many people at how many vendors are going to get early warning of the next big hole? Do you really think they're going to be able to put in the time to get the update ready ASAP without the fact that a new hole exists being leaked? I don't. Does anyone know yet what they plan to charge or if they even plan to charge uniformly? By "not-for-profit" members, do they mean actual legal (for tax purposes) non-profit organizations, or just anyone who doesn't directly profit from use/distribution of BIND? When GateD went this route, I was able to get an A&R (Academic and Research) license for free...but that license prevented me from actually using the restricted gated code at work. Will ISC be as free with the free memberships as the GateD Consortium was?
All of a sudden this djbdns is starting to sound like an idea...
Except he's got his own set of restrictions that make it a PITA to rely on his code. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
All of a sudden this djbdns is starting to sound like an idea...
(second post) While the idea of another program to serve DNS isn't all that bad, I think jumping ship just because of one new policy isn't necessarily the most prudent thing to do. I sort of see this "Oh my lord, if Bush gets elected I'm renouncing my citizenship and moving to Europe" mentality WRT to new BIND policy. Bush is in office, and I don't see anyone leaving the country :-) WRT djbdns: I've had a moderate level of experience with it, and, while it seems interesting to an extent, operationally I've had several annoying encounters with it. When challenged, I seem to get the reply of "maybe some time later it will have that" or "that is insecure, djb doesn't support that". djbdns is also very infant - it's probably not popular enough for all the skr1pt k1dd13s to have an interest in hacking at, because finding a vulnerability in djbdns is about as useful to the "wreaker or havoc" as finding a master door and ignition key to a '58 pinto -- there's about 17 of them on the planet :-) * WRT bind: I don't think that the infrastructures that I run have DNS of significant enough impact to require first-alert notification, and the stuff that I *do* run that *does* requires it has outsourced DNS - so .. I don't think I'll be subscribing to "commercial advanced notification" (unless I make Paul's A-List and get it comp), but I dont think what the BIND project is doing is out of line in any way. Nobody seems to understand or appreciate the work that has gone into bind, and everyone's mad that one little aspect of something that they've been getting for free, for years, isn't free anymore. It's software. It requires man-hours, time, effort, resources and above all talent.. It's not like BIND is being discontinued and made commercial-only. (Even then I dont think many would have valid argument). I fail to see the point of discussing or arguing partial commercialization of premium services -- I haven't seen one valid point yet. jamie -- i am jamie at arpa dot com .. and this is my .sig. core1.dns.microsoft.com# sho access-list 101 Extended IP access list 101 deny udp any any eq domain (874572345872345 matches)
in the code.... (checking to see if I can still post... :) BINDv4 & v8 - From the Berkeley source BINDv9 - Nominum developed djbdns - Daniel J's contribution Microsoft - Redmond code & varients dents - who is this again? ultradns - Hotz et.al. all claim to have independently generated code bases. Are there others? URL's would be nice... --bill
I'm confused. I get the TLD server operators part. But you're saying that you'd only give OS vendors access to this information. How long does it take, say, Sun, to issue a patch update? Wouldn't it be much more efficient, and useful, to issue the information directly to the people using the software? How many people actually use the default vendor binaries anyways?
Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch. My god, are there really this many idiots out there that don't grasp how the world works? -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
On Sat, Feb 03, 2001 at 04:43:47PM -0800, Joe Rhett wrote:
My god, are there really this many idiots out there that don't grasp how the world works?
core1.chi(config)# router opinion JoeRhett % NANOG-5-NOSUCH: NanogTalk node 31337.123 misconfigured: unnecessary comment/opinion discarded
I'm confused. I get the TLD server operators part. But you're saying that you'd only give OS vendors access to this information. How long does it take, say, Sun, to issue a patch update? Wouldn't it be much more efficient, and useful, to issue the information directly to the people using the software? How many people actually use the default vendor binaries anyways?
Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch.
My god, are there really this many idiots out there that don't grasp how the world works?
Good. Reduce yourself to insults and don't even answer the [first] question.
I'm confused. I get the TLD server operators part. But you're saying that you'd only give OS vendors access to this information. How long does it take, say, Sun, to issue a patch update? Wouldn't it be much more efficient, and useful, to issue the information directly to the people using the software? How many people actually use the default vendor binaries anyways?
Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch.
My god, are there really this many idiots out there that don't grasp how the world works?
Good. Reduce yourself to insults and don't even answer the [first] question.
You're right about the insult, but the point remains -- it doesn't matter how long Sun takes. He isn't changing how the security information gets to the world, he's providing Sun a support channel for assistance integrating the security fix. In my experience (being a paying Sun support contract customer) I've gotten security fixes from Sun in a time range from 2-6 hours. 6 hours was the longest time that I've experienced from handing them a security flaw they didn't know about until I had a valid patch in my hands. On a closed circuit channel for security updates. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
Good. Reduce yourself to insults and don't even answer the [first] question.
You're right about the insult, but the point remains -- it doesn't matter how long Sun takes. He isn't changing how the security information gets to the world, he's providing Sun a support channel for assistance integrating the security fix.
If a new distribution is available, why penalize those that don't need a distro from a vendor to perform an upgrade? That's the point. Big or small wrt to company size is irrelevant. This question may have already been answered but I dropped off early last night.
In my experience (being a paying Sun support contract customer) I've gotten security fixes from Sun in a time range from 2-6 hours. 6 hours was the longest time that I've experienced from handing them a security flaw they didn't know about until I had a valid patch in my hands.
On a closed circuit channel for security updates.
I'm a paying customer with a different vendor. I use my experience from a few years ago to not rely on vendor knowledge let alone patches in emergency mode. The point is: there are many companies that don't pay for vendor support. They may or may not be big. Why would you or anyone else prefer to inject criticism toward their concern for network security (particularly in light of all of the pissing and moaning that goes on in this list wrt to this subject) just because they do things differently than you?
participants (7)
-
bmanning@vacation.karoshi.com
-
J Bacher
-
jamie rishaw
-
Jeffrey Meltzer
-
jlewis@lewis.org
-
Joe Rhett
-
ken harris.