BIND update?

[Remko Lodder]

Wesley Shields wrote:
> On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote:
>> On 7/9/08, Remko Lodder <remko at freebsd.org> wrote:
>>> Remko Lodder wrote:
>>>> Josh Mason wrote:
>>>>
>>>> Thanks, you really showed how you are by sending these replies. I wish you
>>> goodluck with your quest, perhaps someday someone can help you.
>>>> Goodbye.
>>>>
>>>>
>>> Hi,
>>>
>>> I am sorry for this reply, it was an expression of my frustation towards
>>> you. The frustation is just easily generated by people demanding support
>>> from volunteers, that are trying to service you and others in their own
>>> spare time. Time that they can also spend on different items, yet we
>>> crazy people decide to work on a Free Operating System, getting nothing
>>> payed for it, only happy users (Where possible) around us.
>>>
>>> I think you can understand my frustration, because I think you would reply
>>> the same if someone demanded even more free time from you.
>>>
>>> I hope you can understand this.
>>>
>>> //Remko
>>>
>> I completely understand and took no offence from your previous email -
>> I know I am being confrontational. I myself have been in that position
>> many a time before and know exactly how it feels. Unfortunately that
>> doesn't negate the responsibility of the security team to produce
>> patches quickly.
>>
>> The initial response of "the sec team is aware of the situation and
>> will investigate" was basically just fluff. If you weren't already
>> aware of it you aren't much of a sec team. What is needed is an
>> expected delivery. I would say considering the nature of the exploit
>> but honestly that shouldn't change anything at all. If the delivery
>> isn't going to be immediate there should always be an ETA provided. If
>> for nothing else other than so your users can plan around it (i.e.
>> "this is too long I need to take action myself" - "or X time or date
>> is sufficient I'll wait for the official release and apply it then").
>> Without that people are twiddling their thumbs wondering if there is
>> ever going to be one.
> 
> You have a good point there.  I'm not aware of any page which describes
> the current issues under investigation by the security team.  If such a
> thing does not exist I think it would be a good thing to have,
> especially if it details rough timelines for things.  By that I mean
> recording historic information and expected information (we received
> notification on this date, we expect to have a final advisory on this
> date).
> 
> In the security world there is a balance which must be maintained
> between providing information to consumers so that they may plan
> accordingly, and not providing too much information so that the
> attackers can write exploits; this is the sensitive nature of the
> information which often leads to opaque processes by security teams
> around the world.  There is the case where full details are released
> without advance notice to the vendors/projects, in which case the
> balance has been lost from the start.
> 
> Remko, do you - or anyone else - on the security team have any thoughts
> on this?  I'd be willing to step up and keep a wiki page (or something
> else) up to date with the information.
> 
> -- WXS

There will be no such page with information about pending items. 
Sometimes we are bound to non-disclosures etc. We handle this internally
and will continue to do so. If people cannot live with that (like Josh) 
then that's their challenge.

Note I speak largely for myself in this case. I am not going to support 
a wiki page or something. I do not know what the other secteam members 
think about that, but I expect something like my opinion.

//Remko

-- 

/"\   Best regards,                      | remko at FreeBSD.org
\ /   Remko Lodder                       | remko at EFnet
  X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News